A quarter full of risk – get to know the notable vulnerabilities of Q3 2024 >>

Go beyond vulnerability scanning with the Vulcan Cyber ExposureOS >>

Exposure management analytics and KPIs you need to know about  >>

Get a demo

A quarter full of risk – get to know the notable vulnerabilities of Q3 2024 >>

Go beyond vulnerability scanning with the Vulcan Cyber ExposureOS >>

Exposure management analytics and KPIs you need to know about  >>

Get a demo
Get a demo

Voyager18 (research)

CVE-2024-50379: A Critical Time-of-Check Time-of-Use (TOCTOU) Vulnerability in Apache Tomcat

Apache Tomcat, one of the most widely used open-source web servers and servlet containers, has recently been found vulnerable to a critical security flaw, CVE-2024-50379. This vulnerability, with a CVSS score of 9.8, exposes systems to remote code execution (RCE) under specific configurations, making it a significant threat to enterprises relying on Tomcat for Java-based web applications. Read about the details of CVE-2024-50379, its impact and outline mitigation steps to secure your systems.

Yair Divinsky | December 25, 2024

In this article

How exposed are you?

Assess the maturity level of your exposure management program

RSVP for free

A new critical vulnerability exposes systems to remote code execution (RCE) was recently discovered in Apache Tomcat, a well-known and common open-source web server and servlet container. The software has been found vulnerable to a critical security flaw possessing threat to enterprises relying on Tomcat for Java-based web applications. In this blog, we will explore the details of CVE-2024-50379, assess its impact, and outline mitigation steps.

TL;DR

Affected products: 

Apache Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97

Product category: 

Web Application Security 

Severity: 

Critical (CVSS Score: 9.8) 

Type: 

Time-of-check Time-of-use (TOCTOU) race condition vulnerability

Impact: 

 Remote Code Execution (RCE)

PoC: 

 Link

Exploit in the wild 

No 

CISA Catalog 

 

Remediation action 
  • Upgrade Apache Tomcat to the fixed versions:
    • 11.0.2 or later
    • 10.1.34 or later
    • 9.0.98 or later
  • Configure the Java system property sun.io.useCanonCaches to false for Java 8 or Java 11
  • If using Java 17, ensure sun.io.useCanonCaches is set to false if explicitly configured.
  • No additional action is needed for Java 21 or later.

MITRE advisory 

Link 

 

What is the CVE-2024-50379?

CVE-2024-50379 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Apache Tomcat. The flaw arises when Tomcat is configured to run on a case-insensitive file system with the default servlet’s write functionality enabled. This configuration can lead to scenarios where concurrent reads and uploads to the same file bypass Tomcat’s case sensitivity checks. 

As a result, attackers can exploit this loophole to execute arbitrary Java Server Pages (JSP) code, gaining unauthorized access to the system. 

 

Update: CVE-2024-50379 and CVE-2024-56337: A Linked Vulnerability Path in Apache Tomcat

CVE-2024-50379 is part of a broader issue in Apache Tomcat, with another vulnerability, CVE-2024-56337, acting as a follow-up to this initial flaw. Both vulnerabilities are classified as Time-of-Check Time-of-Use (TOCTOU) race conditions, a type of vulnerability where an action (in this case, file uploads and reads) occurs between the moment a check is made and the time the action is executed, opening a window for exploitation. 

Initially, the Apache Software Foundation (ASF) released a fix for CVE-2024-50379 on December 17, 2024, targeting the exploitation risk of arbitrary file uploads being treated as JSP code. This occurred when Tomcat was configured on case-insensitive file systems (e.g., Windows or macOS) with the default servlet’s write functionality enabled. However, soon after the release, it became evident that the patch didn’t fully address all edge cases, particularly on systems running older versions of Java. 

Thus, on December 23, 2024, Apache issued an additional update to fully mitigate the issue, tracked as CVE-2024-56337. This new fix clarifies the need for further manual configuration steps to ensure that all affected environments are properly secured, especially for users running older Java versions (Java 8 or Java 11). Without these additional steps, the vulnerability could still be exploited in certain configurations, despite the initial patch. 

The core of both CVEs lies in the same flaw: under certain configurations, concurrent file upload and read operations can bypass Tomcat’s case sensitivity checks, enabling an attacker to upload a file that is mistakenly treated as executable code, leading to remote code execution (RCE). To fully mitigate this, administrators must apply both the updated versions of Tomcat (11.0.2, 10.1.34, and 9.0.98 or later) and additional configuration changes depending on their Java environment. 

For systems running Java 8 or Java 11, administrators are advised to set the sun.io.useCanonCaches property to false. This action prevents Tomcat from mistakenly handling file paths inappropriately. On Java 17 systems, this property should be checked to ensure it’s set to false as well. No changes are needed for Java 21 and beyond, as the problematic property has been removed in those versions. 

With the release of CVE-2024-56337, Apache Tomcat users are now equipped with a comprehensive fix, addressing both the original flaw and any remaining vulnerabilities tied to older Java configurations. It’s crucial for administrators to implement both software and configuration updates to protect their environments from exploitation. 

 

Does CVE-2024-50379 affect me?

The vulnerability impacts the following Apache Tomcat versions: 

  • Apache Tomcat 11.0.0-M1 to 11.0.1 
  • Apache Tomcat 10.1.0-M1 to 10.1.33 
  • Apache Tomcat 9.0.0.M1 to 9.0.97 

You may be affected by CVE-2024-50379 if your systems meet the following conditions: 

  1. Environment Configuration Your Apache Tomcat server is running on a case-insensitive file system (e.g., Windows or macOS) and the default servlet’s readonly initialization parameter is set to false (non-default setting). 
  2. Java Version – Systems using older Java versions (Java 8 or Java 11) are particularly at risk, as they require manual configuration to mitigate the issue. 
  3. Use Case – Applications hosted on the affected Tomcat versions rely on concurrent file uploads or involve scenarios where file write operations are enabled. 

Administrators should review their configurations and assess if their systems align with these conditions to determine exposure. 

 

Has CVE-2024-50379 been actively exploited in the wild?

At the time of writing, there are no confirmed reports of active exploitation of CVE-2024-50379 in the wild. However, the Apache Software Foundation (ASF) has credited several security researchers for independently identifying and reporting the flaw, including proof-of-concept (PoC) code. 

The availability of PoC increases the likelihood of exploitation, especially in environments where mitigation steps have not been implemented.

 

How to fix CVE-2024-50379

To address CVE-2024-50379, Apache has released updates and provided detailed configuration changes to secure affected systems: 

  1. Upgrade Apache Tomcat – Ensure you are running the patched versions of Apache Tomcat: 
    • Upgrade to version 11.0.2 or later
    • Upgrade to version 10.1.34 or later
    • Upgrade to version 9.0.98 or later.
  2. Adjust System Properties Based on Java Version 
    • For Java 8 or Java 11 – Set the system property sun.io.useCanonCaches to false (default: true)
    • For Java 17 Verify that sun.io.useCanonCaches is set to false (default: false)
    • For Java 21 and Later – No action is required, as the sun.io.useCanonCaches property has been removed. 
  3. Review Default Servlet Configuration – Check and modify the readonly parameter in the default servlet’s configuration to ensure it is set to true unless explicitly required for your use case. 
  4. Monitor for Exploitation Attempts – Implement logging and monitoring mechanisms to detect anomalous file upload or read operations that could indicate exploitation attempts. 
  •  

By following these steps, you can significantly reduce the risk posed by CVE-2024-50379 and secure your systems against potential attacks. Stay vigilant and ensure that your systems are updated and properly configured to minimize vulnerabilities. For additional insights and updates, refer to the official Apache Tomcat security advisories.

By following these steps, you can significantly reduce the risk posed by CVE-2024-50379 and secure your systems against potential attacks. Stay vigilant and ensure that your systems are updated and properly configured to minimize vulnerabilities. For additional insights and updates, refer to the official Apache Tomcat security advisories. 

 

Further reading

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q3 2024 Vulnerability Watch 
  2. IBM’s Cost of a Data Breach 2024: What we learned 
  3. Fixing the RCE flaw in the Common Unix Printing System (CUPS) 
  4. Vulnerability disclosure policy (and how to get it right) 
  5. OpenSSH again? How to fix CVE-2024-7589
<< back to blog Next story >>
Back to blog Next story

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.

View more
Accept
Decline

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management

Try for free