Main Vulnerability Database Vulnerabilities #VU101893

#VU101893 Permissions, privileges, and access controls in Apache Tomcat - CVE-2024-56337

Published: December 20, 2024

Vulnerability identifier: #VU101893

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-56337

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Tomcat

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incomplete mitigation for #VU101814(CVE-2024-50379) on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false). A remote attacker can upload malicious files to the server and execute them compromising the system.

The mitigation bypass depends on the version of Java used on the system.

Remediation

Update to the latest version of Apache Tomcat and follow the instructions below:

- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

External links

https://lists.apache.org/thread/2bjnh3p78b89n5hw539hh31sr7tt7m22