Apache fixes remote code execution bypass in Tomcat web server

Apache has released a security update to address an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution.

Apache Tomcat is an open-source web server and servlet container widely used to deploy and run Java-based web applications. It provides a runtime environment for Java Servlets, JavaServer Pages (JSP), and Java WebSocket technologies.

The product is popular with large enterprises that run custom web apps, SaaS providers that rely on Java for backend services. Cloud and hosting services integrateTomcat for app hosting, and software developers use it to build, test, and deploy web apps.

The vulnerability fixed is tracked as CVE-2024-56337 and it represents a complete mitigation for CVE-2024-50379, a critical remote code execution (RCE), for which the vendor released a patch on December 17.

After releasing the update that fixes CVE-2024-50379, the Apache team learned that the mitigation was incomplete for clients running virtual machines with older versions of Java.

Both CVE identifiers refer to the same vulnerability but with CVE-2024-56337 Apache provides additional mitigation details that completely address the initial vulnerability, highlighting that admins have to make some changes manually.

As such, the initial recommendation to upgrade to the latest Tomcat versions (currently 11.0.2, 10.1.34, and 9.0.98) is not sufficient to address the risk and the following changes are also required:

• if running on Java 8 or 11, it is recommended to set the system property ‘sun.io.useCanonCaches’ to ‘false’ (default: true)
• if running on Java 17 and ‘sun.io.useCanonCaches’ is set, it needs to be configured as false (default: false)
• for Java 21 and later, no configuration is needed. The property and problematic cache have been removed

The security issue is a time-of-check time-of-use (TOCTOU) race condition vulnerability that affects systems with the default servlet write enabled (‘readonly’ initialization parameter set to false) and running on case-insensitive file systems.

The issue affects Apache Tomcat 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97.

The Apache team shared plans for security enhancements in the upcoming versions of Tomcat, 11.0.3, 10.1.35, and 9.0.99. Specifically, Tomcat will check that ‘sun.io.useCanonCaches’ is set correctly before enabling write access for the default servlet on case-insensitive file systems, and will default ‘sun.io.useCanonCaches’ to false where possible.

These changes aim to enforce safer configurations automatically and reduce the risk of exploitation of CVE-2024-50379 and CVE-2024-56337.

UPDATE [December 24]: Article edited to clarify that the new vulnerability adds mitigation details for instances running older versions of Java