Article Details
Scrape Timestamp (UTC): 2024-12-24 06:13:30.939
Source: https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
Original Article Text
Click to Toggle View
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks. The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024. "Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat," the project maintainers said in an advisory last week. Both the flaws are Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is enabled for write. "Concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution," Apache noted in an alert for CVE-2024-50379. CVE-2024-56337 impacts the below versions of Apache Tomcat - Additionally, users are required to carry out the following configuration changes depending on the version of Java being run - The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting both shortcomings. It also acknowledged the KnownSec 404 Team for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code. The disclosure comes as the Zero Day Initiative (ZDI) shared details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9) that allows authenticated remote attackers to execute arbitrary code. "The specific flaw exists within the handling of CGI requests," the ZDI said. "The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root."
Daily Brief Summary
The Apache Software Foundation (ASF) has issued updates to address a significant remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337.
This vulnerability is an incomplete fix of a previous critical flaw, CVE-2024-50379, which also allowed RCE attacks, both having a high CVSS score of 9.8.
CVE-2024-56337 enables RCE through a TOCTOU (Time-of-check Time-of-use) race condition vulnerability, particularly affecting systems with case-insensitive file systems and writable default servlets.
Both vulnerabilities are exploitable under specific conditions, such as concurrent file read and upload operations, which can bypass security checks treating certain files as executable.
Apache Tomcat versions impacted by CVE-2024-56337 were not specified, but users are advised to apply configuration adjustments depending on the Java version used.
Security researchers Nacl, WHOAMI, Yemoli, and Ruozhi, along with the KnownSec 404 Team, were credited with discovering and reporting these vulnerabilities.
In related news, Zero Day Initiative disclosed a critical vulnerability (CVE-2024-12828) in Webmin that permits authenticated remote attackers to execute arbitrary code due to improper validation in CGI request handling.