Apache released a security advisory to address a critical vulnerability in the Tomcat server. Tracked as CVE-2024-56337, the vulnerability may allow an attacker to perform remote code execution on vulnerable servers.
Apache Tomcat is a free, open-source web server that hosts Java-based web applications. Tomcat is a Servlet container that runs Java code and implements Java Servlet and JavaServer Pages (JSP) specifications.
Vulnerability Details
This vulnerability originates from an incomplete mitigation for CVE-2024-50379. An attacker may exploit the vulnerability on case-insensitive file systems on Tomcat’s default servlet with write functionality enabled. By manipulating paths, an attacker could bypass security measures and upload files with harmful JSP code, ultimately leading to remote code execution.
The vulnerability affects Tomcat server vulnerable versions on case-insensitive file systems, particularly those with the default servlet’s write functionality enabled.
Affected Versions
- Apache Tomcat 9.0.0.M1 to 9.0.97
- Apache Tomcat 11.0.0-M1 to 11.0.1
- Apache Tomcat 10.1.0-M1 to 10.1.33
Mitigation
Customers must upgrade to Apache Tomcat 10.1.34 or later to patch the vulnerability.
Please refer to the Apache Tomcat Security Advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QIDs 732119, 732120, and 732121 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
