Tracked as CVE-2024-56337 which is linked to another CVE-2024-50379, the vulnerability makes Apache vulnerable to a possible Remote Code Execution under specific circumstances. Installations running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.
The vulnerabilities exploit Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is enabled for write. Concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution,” Apache briefed in an alert for CVE-2024-50379.
The vulnerable versions as per the update are:-
- Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
- Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
- Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)
The user are also advised to make the following changes as per the version of JAVA being used in their deployment:-
- Java 8 or Java 11 – Explicitly set system property sun.io.useCanonCaches to false (it defaults to true)
- Java 17 – Set system property sun.io.useCanonCaches to false, if already set (it defaults to false)
- Java 21 and later – No action is required, as the system property has been removed
