Security Alert (A24-12-14): Multiple Vulnerabilities in Apache Tomcat


 

Published on: 18 December 2024

  
  

Description:

The Apache Software Foundation released security updates to address the vulnerabilities in the Apache Tomcat. A remote attacker could exploit the vulnerabilities by sending a specially crafted request to the affected systems.

Apache Software Foundation announced that the mitigation for the remote code execution vulnerability (CVE-2024-50379) within the latest patches Apache Tomcat 9.0.98, 10.1.34 and 11.0.2 has been identified as incomplete. While additional patches to fully mitigate the issue (tracked as CVE-2024-56337) are yet available, Apache Software Foundation has provided temporary measures to mitigate the risk of exploitation.

System administrators of affected systems should follow the recommendations listed below and take immediate actions to mitigate the risk.It is recommended to properly assess the impact before adopting the temporary measures and consult the product vendors for the assistance.

GovCERT.HK is closely monitoring the situation and will issue an update on the concerned issue once the additional patches are available.

 

Affected Systems:

  • Apache Tomcat 11.0.0-M1 to 11.0.1
  • Apache Tomcat 10.1.0-M1 to 10.1.33
  • Apache Tomcat 9.0.0-M1 to 9.0.97

For detailed information of the affected systems, please refer to the corresponding security advisory at software provider's website.

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution or denial of service on an affected system.

 

Recommendation:

The Apache Software Foundation has released new versions of the software to address the issue and they can be downloaded at the following URLs:
https://tomcat.apache.org/download-11.cgi#11.0.2
https://tomcat.apache.org/download-10.cgi#10.1.34
https://tomcat.apache.org/download-90.cgi#9.0.98

In addition to upgrading to versions 9.0.98, 10.1.34 or 11.0.2, system administrators of affected systems should apply additional configuration based on the Java version in use:

  • Java 8 or Java 11
    The system property sun.io.useCanonCaches must be explicitly set to false (the default value is true)
  • Java 17
    If the system property sun.io.useCanonCaches is set, it must be configured to false (the default value is false)
  • Java 21 onwards
    No further configuration is required (the system property and the problematic cache have been removed)

 

More Information:

  • https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
  • https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
  • https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
  • https://www.hkcert.org/security-bulletin/apache-tomcat-multiple-vulnerabilities_20241218
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54677
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337


Tag: Apache , Tomcat
Tags