Main Vulnerability Database Vulnerabilities #VU101893

Permissions, privileges, and access controls in Apache Tomcat - CVE-2024-56337

Published: December 20, 2024

Vulnerability identifier: #VU101893

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-56337

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Tomcat

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incomplete mitigation for #VU101814(CVE-2024-50379) on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false). A remote attacker can upload malicious files to the server and execute them compromising the system.

The mitigation bypass depends on the version of Java used on the system.

How to mitigate CVE-2024-56337

Update to the latest version of Apache Tomcat and follow the instructions below:

- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Sources

https://lists.apache.org/thread/2bjnh3p78b89n5hw539hh31sr7tt7m22

Permissions, privileges, and access controls in Apache Tomcat - CVE-2024-56337

Detailed vulnerability description

How to mitigate CVE-2024-56337

Sources

Please verify you're human