Apache Tomcat Remote Code Execution Vulnerability (CVE-2024-50379)

Dec 19, 2024 GMT+08:00

I. Overview

Recently, Apache Tomcat issued a security notice regarding a remote code execution vulnerability (CVE-2024-50379) in certain versions. This vulnerability stems from a flaw in verifying file paths. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

Apache Tomcat is a popular Java web application server. If you are an Apache Tomcat user, check your versions and implement timely security hardening.

Reference:

https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Tomcat 11.0.0-M1 ~ 11.0.1

Apache Tomcat 10.1.0-M1 ~ 10.1.33

Apache Tomcat 9.0.0.M1 ~ 9.0.97

Secure versions:

Apache Tomcat 11.0.2

Apache Tomcat 10.1.34

Apache Tomcat 9.0.98

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

Apache Tomcat 11: https://tomcat.apache.org/download-11.cgi

Apache Tomcat 10: https://tomcat.apache.org/download-10.cgi

Apache Tomcat 9: https://tomcat.apache.org/download-90.cgi

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.