Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution.
Apache Tomcat is an open-source web server and servlet container widely used to deploy and run Java-based web applications. It provides a runtime environment for Java Servlets, JavaServer Pages (JSP), and Java WebSocket technologies.
The product is popular with large enterprises that run custom web apps, SaaS providers that rely on Java for backend services. Cloud and hosting services integrateTomcat for app hosting, and software developers use it to build, test, and deploy web apps.
The vulnerability fixed in the new release is tracked as CVE-2024-56337 and addresses an incomplete mitigation for CVE-2024-50379, a critical remote code execution (RCE), for which the vendor released an incomplete patch on December 17.
The security issue is a time-of-check time-of-use (TOCTOU) race condition vulnerability that affects systems with the default servlet write enabled (‘readonly’ initialization parameter set to false) and running on case-insensitive file systems.
The issue affects Apache Tomcat 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97.
Users should upgrade to the latest Tomcat versions: 11.0.2, 10.1.34, and 9.0.98.
Addressing the issue requires additional steps. Depending on the Java version in use, users need to perform the following actions, besides upgrading:
- For Java 8 or 11, it is recommended to set the system property ‘sun.io.useCanonCaches’ to ‘false’ (default: true).
- For Java 17, ensure ‘sun.io.useCanonCaches,’ if set, is configured as false (default: false).
- For Java 21 and later, no configuration is needed. The property and problematic cache have been removed.
The Apache team shared plans for security enhancements in the upcoming versions of Tomcat, 11.0.3, 10.1.35, and 9.0.99.
Specifically, Tomcat will check that ‘sun.io.useCanonCaches’ is set correctly before enabling write access for the default servlet on case-insensitive file systems, and will default ‘sun.io.useCanonCaches’ to false where possible.
These changes aim to enforce safer configurations automatically and reduce the risk of exploitation of CVE-2024-50379 and CVE-2024-56337.