Critical Apache Tomcat RCE Alert: CVE-2024-56337

Apache Tomcat Patch Released After Partial Fix

The Apache Software Foundation (ASF) has issued a crucial security update for Apache Tomcat following the discovery of a high-severity vulnerability that could enable remote code execution (RCE) under specific setups. This latest vulnerability, identified as CVE-2024-56337, highlights a shortcoming in the fix for an earlier critical flaw, CVE-2024-50379 (CVSS score: 9.8), that was initially addressed on December 17, 2024.

What’s the Issue?

Both CVE-2024-56337 and CVE-2024-50379 involve a Time-of-check Time-of-use (TOCTOU) race condition. The problem arises on case-insensitive filesystems (e.g., Windows, macOS, or certain configurations on Linux) where Tomcat’s default servlet is permitted to write files. Concurrent read-and-upload operations on the same file can bypass case sensitivity checks, resulting in uploaded files being interpreted as JSP. If successful, attackers could run arbitrary code on the compromised server.

Affected Versions

• Apache Tomcat 11.0.0-M1 to 11.0.1
  Fixed in 11.0.2 or later

• Apache Tomcat 10.1.0-M1 to 10.1.33
  Fixed in 10.1.34 or later

• Apache Tomcat 9.0.0.M1 to 9.0.97
  Fixed in 9.0.98 or later

Administrators and users running these Tomcat versions should update immediately to avoid potential exploits. Even after upgrading, the ASF warns that specific configuration changes could be necessary based on the Java version being used.

Why It Matters

When vulnerabilities enabling RCE go unpatched, attackers can potentially upload malicious files or manipulate server processes to gain unauthorized access and compromise broader systems. Given that Tomcat remains a cornerstone in many enterprise web environments, the potential risk to data and operations is significant