The Apache Software program Basis (ASF) has launched a safety replace to deal with an vital vulnerability in its Tomcat server software program that would end in distant code execution (RCE) beneath sure circumstances.
The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS rating: 9.8), one other essential safety flaw in the identical product that was beforehand addressed on December 17, 2024.
“Customers operating Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default worth of false) may have further configuration to completely mitigate CVE-2024-50379 relying on which model of Java they’re utilizing with Tomcat,” the undertaking maintainers stated in an advisory final week.
Each the failings are Time-of-check Time-of-use (TOCTOU) race situation vulnerabilities that would end in code execution on case-insensitive file programs when the default servlet is enabled for write.
“Concurrent learn and add beneath load of the identical file can bypass Tomcat’s case sensitivity checks and trigger an uploaded file to be handled as a JSP resulting in distant code execution,” Apache famous in an alert for CVE-2024-50379.
CVE-2024-56337 impacts the under variations of Apache Tomcat –
- Apache Tomcat 11.0.0-M1 to 11.0.1 (Mounted in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (Mounted in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (Mounted in 9.0.98 or later)
Moreover, customers are required to hold out the next configuration modifications relying on the model of Java being run –
- Java 8 or Java 11 – Explicitly set system property solar.io.useCanonCaches to false (it defaults to true)
- Java 17 – Set system property solar.io.useCanonCaches to false, if already set (it defaults to false)
- Java 21 and later – No motion is required, because the system property has been eliminated
The ASF credited safety researchers Nacl, WHOAMI, Yemoli, and Ruozhi for figuring out and reporting each shortcomings. It additionally acknowledged the KnownSec 404 Crew for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.
The disclosure comes because the Zero Day Initiative (ZDI) shared particulars of a essential bug in Webmin (CVE-2024-12828, CVSS rating: 9.9) that enables authenticated distant attackers to execute arbitrary code.
“The precise flaw exists inside the dealing with of CGI requests,” the ZDI stated. “The difficulty outcomes from the dearth of correct validation of a user-supplied string earlier than utilizing it to execute a system name. An attacker can leverage this vulnerability to execute code within the context of root.”