Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL RCE VULNERABILITY IN APACHE TOMCAT, CVE-2024-50379, PATCH IMMEDIATELY!!
Image
Published : 20/12/2024
Reference:
Advisory #2024-296
Version:
1.2
Affected software:
Apache Tomcat 10.1.0-M1 to 10.1.33
Apache Tomcat 11.0.0-M1 to 11.0.1
Apache Tomcat 9.0.0.M1 to 9.0.97
Type:
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE/CVSS:
CVE-2024-50379: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-56337: CVSS under evaluation
Sources
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-50379
Risks
Apache Tomcat, a popular open-source server used to host and manage Java-based web applications, has been found to contain a critical vulnerability, CVE-2024-50379. CVE-2024-50379, allows threat actors to upload malicious files and execute arbitrary code on affected systems. While there are no reports of active exploitation of this vulnerability at the time of writing, the potential impact is severe, with a base score of 9.8 indicating critical risk. This flaw can severely impact the confidentiality, integrity, and availability (CIA) of systems, potentially causing major system downtime and disruption to daily operations. It is crucial for organizations to update their Apache Tomcat installations to mitigate this risk and ensure business continuity.
Update 2024-12-30:
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat. Please follow the instructions provided in the linked vendor advisory for CVE-2024-56337.
Description
CVE-2024-50379: Apache Tomcat (Critical)
CVE-2024-50379 is a TOCTOU race condition vulnerability that occurs during JSP compilation in Apache Tomcat. This flaw affects Apache Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. The vulnerability arises when the default servlet is configured with write access on case-insensitive file systems, which is not the default configuration. Exploitation of this vulnerability could allow an attacker to upload malicious files, resulting in remote code execution (RCE). The specific conditions for exploitation involve a non-default configuration, but the potential impact remains critical.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Apache recommends updating to version 11.0.2, 10.1.34, 9.0.98, or later to mitigate the risk of exploitation.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Update 2025-01-10: Mitigation measures
In order to fully mitigate CVE-2024-50379, additional configuration may be needed, depending on which version of Java is used with Tomcat.
- For systems running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- For systems running on Java 21 and onwards: no further configuration is required (the system property and the problematic cache have been removed)
References
https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
Update 2024-12-30: https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp