Two critical vulnerabilities have been discovered in Apache Tomcat, a popular open-source web server and servlet container, which could allow attackers to execute remote code or cause denial-of-service (DoS) conditions. The vulnerabilities were identified in multiple versions of Apache Tomcat, including 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. The first vulnerability, CVE-2024-50379, is rated as “Important” and enables remote code execution by exploiting a race condition during concurrent file read and upload operations, especially when the default servlet is configured with write permissions on a case-insensitive file system. This bypasses Tomcat’s case sensitivity checks, allowing uploaded files to be treated as JSP files, which can lead to remote code execution.
The second vulnerability, CVE-2024-54677, is classified as “Low” severity but still poses a risk as it enables attackers to trigger a denial of service attack. This flaw occurs within Tomcat’s example web applications, which fail to limit the size of uploaded data. As a result, attackers can upload excessive data, causing an OutOfMemoryError and resulting in a DoS condition. While the issue is somewhat mitigated by the fact that the example web applications are only accessible from localhost by default, it still presents a significant risk if exposed to public-facing servers.
Security researchers, including Elysee Franchuk, Nacl, WHOAMI, Yemoli, and Ruozhi, along with the Tomcat security team, were credited with discovering these vulnerabilities. To address the flaws, the Apache Software Foundation has released patches for all affected versions of Apache Tomcat. Users are strongly urged to upgrade to Apache Tomcat 11.0.2 or later, 10.1.34 or later, and 9.0.98 or later. These updated versions correct the vulnerabilities, significantly enhancing the security of Tomcat installations.
The discovery of these vulnerabilities highlights the ongoing importance of regular security audits and timely patching, particularly in widely-used software like Apache Tomcat. As these flaws could have serious consequences for enterprise environments, IT administrators and security professionals should prioritize applying the latest patches to prevent potential exploitation. The incident also serves as a reminder of the complexities involved in maintaining the security of complex software ecosystems and the need to stay informed about the latest security advisories.
Reference:
