Service Notices
Apache Tomcat Remote Code Execution Vulnerability (CVE-2024-50379)
Dec 19, 2024 GMT+08:00
I. Overview
Recently, Apache Tomcat issued a security notice regarding a remote code execution vulnerability (CVE-2024-50379) in certain versions. This vulnerability stems from a flaw in verifying file paths. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
Apache Tomcat is a popular Java web application server. If you are an Apache Tomcat user, check your versions and implement timely security hardening.
Reference:
https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Tomcat 11.0.0-M1 ~ 11.0.1
Apache Tomcat 10.1.0-M1 ~ 10.1.33
Apache Tomcat 9.0.0.M1 ~ 9.0.97
Secure versions:
Apache Tomcat 11.0.2
Apache Tomcat 10.1.34
Apache Tomcat 9.0.98
IV. Vulnerability Handling
This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.
Apache Tomcat 11: https://tomcat.apache.org/download-11.cgi
Apache Tomcat 10: https://tomcat.apache.org/download-10.cgi
Apache Tomcat 9: https://tomcat.apache.org/download-90.cgi
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.