Race Condition Vulnerability in Apache Tomcat Affects Multiple Versions
CVE-2024-56337
Key Information
- Vendor
- Apache
- Vendor
- CVE Published:
- 20 December 2024
Badges
Summary
CVE-2024-56337 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability affecting Apache Tomcat across several versions. The vulnerability arises when Tomcat is run on a case-insensitive file system with the default servlet write capability enabled. Users may be exposed if they do not properly configure their systems as the initial workaround for CVE-2024-50379 was insufficient. Specifically, additional configuration is vital for systems utilizing Java 8 or Java 11, where the system property 'sun.io.useCanonCaches' needs to be set to false. For Java 17, the same property, if originally set, must also be false, while Tomcat versions 11.0.3, 10.1.35, and 9.0.99 and higher will check this setting before allowing default servlet write access on case-insensitive file systems, automatically applying the appropriate configurations where applicable.
News Articles
DataconomyCritical Tomcat flaw could expose your servers to attack
The Apache Software Foundation (ASF) has released a security update for its Tomcat server software, addressing a critical vulnerability identified as
3 days ago
The Hacker NewsCVE-2024-56337Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
Apache releases a security update for CVE-2024-56337, addressing RCE risks in Tomcat servers with critical configuration changes required for Java 8,
3 days ago
Apache fixes remote code execution bypass in Tomcat web server
Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution.
4 days ago