#VU101893 Permissions, privileges, and access controls in Apache Tomcat - CVE-2024-56337

Vulnerability identifier: #VU101893

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-56337

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incomplete mitigation for #VU101814(CVE-2024-50379) on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false). A remote attacker can upload malicious files to the server and execute them compromising the system.

The mitigation bypass depends on the version of Java used on the system.

Mitigation

Update to the latest version of Apache Tomcat and follow the instructions below:

- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Vulnerable software versions

Apache Tomcat: 9.0.0-M1 - 9.0.97, 10.0.0-M1 - 10.0.27, 10.1.0-M1 - 10.1.33, 11.0.0-M1 - 11.0.1

---

External links
https://lists.apache.org/thread/2bjnh3p78b89n5hw539hh31sr7tt7m22

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.