Two critical vulnerabilities have been discovered in Apache Tomcat, the popular open-source web server, and servlet container, potentially allowing attackers to execute remote code and cause a denial of service.
The Apache Software Foundation has released patches to address these security flaws, urging users to upgrade immediately.
The first vulnerability, CVE-2024-50379, is rated as “Important” and affects Apache Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97.
This flaw allows remote code execution under specific conditions. Attackers can exploit a race condition during concurrent read and upload operations if the default servlet is configured with write permissions on a case-insensitive file system.
This bypass of Tomcat’s case sensitivity checks can lead to uploaded files being treated as JSPs, ultimately resulting in remote code execution.
The second vulnerability, CVE-2024-54677, is classified as “Low” severity but still poses a significant threat. It affects the same versions of Apache Tomcat and enables attackers to trigger a denial of service attack.
The vulnerability stems from the examples of web applications provided with Tomcat, where numerous examples fail to limit uploaded data size. This oversight can lead to an OutOfMemoryError, causing a denial of service.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
However, it’s worth noting that by default, the example web application is only accessible from localhost, somewhat limiting the potential attack surface.
Security researchers Elysee Franchuk, Nacl, WHOAMI, Yemoli, and Ruozhi, along with the Tomcat security team, are credited with identifying these vulnerabilities.
To mitigate these risks, the Apache Software Foundation strongly recommends users upgrade to the latest patched versions:
- Apache Tomcat 11.0.2 or later
- Apache Tomcat 10.1.34 or later
- Apache Tomcat 9.0.98 or later
These updates address both vulnerabilities and significantly enhance the security of Tomcat installations. Organizations using affected versions should prioritize these upgrades to protect their systems from potential exploitation.
The discovery of these vulnerabilities underscores the importance of regular security audits and prompt patching in web server environments.
As Apache Tomcat is widely used in enterprise settings, the potential impact of these flaws is substantial.
IT administrators and security professionals should take immediate action to assess their Tomcat deployments and apply the necessary updates.
While the Apache Software Foundation has acted swiftly to address these issues, the incident serves as a reminder of the ongoing challenges in maintaining security in complex software ecosystems.
As always, staying informed about the latest security advisories and maintaining up-to-date software versions remain crucial practices in the ever-evolving landscape of cybersecurity.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free