Apache has launched a safety replace that addresses an vital vulnerability in Tomcat net server that would result in an attacker attaining distant code execution.
Apache Tomcat is an open-source net server and servlet container broadly used to deploy and run Java-based net purposes. It gives a runtime setting for Java Servlets, JavaServer Pages (JSP), and Java WebSocket applied sciences.
The product is well-liked with massive enterprises that run customized net apps, SaaS suppliers that depend on Java for backend providers. Cloud and internet hosting providers integrateTomcat for app internet hosting, and software program builders use it to construct, check, and deploy net apps.
The vulnerability mounted within the new launch is tracked as CVE-2024-56337 and addresses an incomplete mitigation for CVE-2024-50379, a important distant code execution (RCE), for which the seller launched an incomplete patch on December 17.
The safety subject is a time-of-check time-of-use (TOCTOU) race situation vulnerability that impacts methods with the default servlet write enabled (‘readonly’ initialization parameter set to false) and working on case-insensitive file methods.
The problem impacts Apache Tomcat 11.0.0-M1 by way of 11.0.1, 10.1.0-M1 by way of 10.1.33, and 9.0.0.M1 by way of 9.0.97.
Customers ought to improve to the newest Tomcat variations: 11.0.2, 10.1.34, and 9.0.98.
Addressing the problem requires further steps. Relying on the Java model in use, customers have to carry out the next actions, in addition to upgrading:
- For Java 8 or 11, it is suggested to set the system property ‘solar.io.useCanonCaches’ to ‘false’ (default: true).
- For Java 17, guarantee ‘solar.io.useCanonCaches,’ if set, is configured as false (default: false).
- For Java 21 and later, no configuration is required. The property and problematic cache have been eliminated.
The Apache staff shared plans for safety enhancements within the upcoming variations of Tomcat, 11.0.3, 10.1.35, and 9.0.99.
Particularly, Tomcat will examine that ‘solar.io.useCanonCaches’ is ready accurately earlier than enabling write entry for the default servlet on case-insensitive file methods, and can default ‘solar.io.useCanonCaches’ to false the place doable.
These modifications goal to implement safer configurations routinely and cut back the danger of exploitation of CVE-2024-50379 and CVE-2024-56337.