Critical Apache Tomcat RCE Flaw CVE-2024-56337

The Apache Software Foundation (ASF) has issued a crucial security update to address a newly identified vulnerability in Apache Tomcat, one of the most widely used Java servlet containers. This vulnerability, tracked as CVE-2024-56337, poses a significant risk as it could enable remote code execution (RCE) under specific conditions. The flaw is an incomplete mitigation of a previously reported vulnerability, CVE-2024-50379, which carries a high severity CVSS score of 9.8.

Background and Scope of the Vulnerability

The original issue, CVE-2024-50379, is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability. It affects servers running Tomcat on case-insensitive file systems where the default servlet’s write feature is enabled (when the readonly initialization parameter is set to false). Under these conditions, attackers can exploit concurrent read and upload processes of the same file to bypass Tomcat’s case-sensitivity checks. This can lead to malicious files being treated as JavaServer Pages (JSP), thereby enabling code execution.

CVE-2024-56337 was discovered as a result of inadequate remediation measures implemented for CVE-2024-50379. It affects multiple Apache Tomcat versions:

• Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)

• Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)

• Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)

Technical Details and Impact

The vulnerability resides in a TOCTOU race condition that could allow an attacker to upload files treated as JSP on case-insensitive file systems. This bypasses Tomcat’s checks and potentially leads to RCE. While the flaw has been classified as critical, its exploitation depends on specific configurations and conditions, making immediate mitigation essential.

Mitigation Measures

The ASF has provided detailed guidance for mitigating CVE-2024-56337 based on the Java version used with Apache Tomcat:

• Java 8 or Java 11: Set the system property sun.io.useCanonCaches to false. This property defaults to true and must be explicitly modified.

• Java 17: Verify the sun.io.useCanonCaches property is set to false. By default, it is already false, but it’s essential to confirm.

• Java 21 and later: No action is needed as the property has been deprecated and removed.

Administrators should ensure they upgrade to the patched versions of Apache Tomcat (11.0.2, 10.1.34, or 9.0.98) and review their server configurations to disable unnecessary write permissions for the default servlet. Implementing these measures minimizes the attack surface and mitigates the risk of exploitation.

Contributions and Acknowledgments

The ASF has credited several security researchers for their contributions in identifying and reporting the vulnerabilities. The team includes Nacl, WHOAMI, Yemoli, and Ruozhi, whose collaborative efforts helped uncover the flaws. Additionally, the KnownSec 404 Team independently reported CVE-2024-56337 and provided a proof-of-concept (PoC), highlighting the severity of the issue.

Broader Implications and Related Threats

The discovery of CVE-2024-56337 underscores the complexity of mitigating TOCTOU vulnerabilities and the need for comprehensive testing during patch deployment. It also highlights the broader challenges organizations face in securing critical infrastructure against sophisticated attacks.

In a related development, the Zero Day Initiative (ZDI) disclosed details of another critical vulnerability in Webmin, a popular web-based system administration tool. Tracked as CVE-2024-12828, this flaw has an even higher CVSS score of 9.9. It allows authenticated remote attackers to execute arbitrary code due to improper validation of user-supplied input in CGI requests. This emphasizes the importance of maintaining robust input validation mechanisms and timely patch management.