The Apache Software Foundation has issued an urgent security advisory regarding a critical remote code execution (RCE) vulnerability in Apache Tomcat, now tracked as CVE-2024-56337.
This security flaw, which emerged from an incomplete fix for the earlier CVE-2024-50379, poses a significant risk to systems running on case-insensitive filesystems.
The vulnerability exploits a sophisticated race condition involving how Tomcat processes JavaServer Pages (JSP) files. While Tomcat usually blocks JSP file uploads as a security measure, attackers can bypass this protection by manipulating the file extension case (using '.Jsp' instead of '.jsp').
This manipulation, combined with concurrent GET and PUT requests, can trick Tomcat into compiling and executing malicious JSP code on case-insensitive filesystems like Windows NTFS.
Systems are vulnerable when two specific conditions are met:
- They must run on a case-insensitive filesystem
- Have the default servlet's 'readonly' property disabled
Additionally, a Java system property, 'sun.io.useCanonCaches', plays a crucial role in the vulnerability. This property, which enables caching of canonical paths, is enabled by default in Java 8 and 11, and can be manually enabled in Java 17, potentially allowing exploitation even on previously "fixed" versions.
The Apache Software Foundation recommends immediate upgrades to the latest secure versions: Apache Tomcat 11.0.2, 10.1.34, or 9.0.98. However, the upgrade alone may not be sufficient.
Users must also implement specific Java version-dependent mitigations. For Java 8 and 11 users, the 'sun.io.useCanonCaches' property must be explicitly disabled. Java 17 users should verify this property is set to false, while Java 21 and later versions require no additional configuration.
Looking ahead, Apache has announced enhanced security measures in upcoming versions (11.0.3, 10.1.35, and 9.0.99), which will include automatic verification of security-critical settings and improved default configurations to prevent similar vulnerabilities.
The vulnerability was identified through collaborative security research, with contributions from researchers Nacl, WHOAMI, Yemoli, Ruozhi, and the Knownsec 404 team, including Dawu and Sunflower, who provided detailed proof of concept documentation.
Given Apache Tomcat's widespread use in enterprise environments and cloud services, immediate attention to these security updates is crucial for maintaining secure web infrastructure.