This long-read post explores the details surrounding a newly-discovered vulnerability, CVE-2024-21733, in Apache Tomcat. The vulnerability allows unauthorized users to access sensitive information by interacting with certain error messages. We'll take an in-depth look at the exploit, address the versions of Apache Tomcat that are affected, and offer solutions to prevent this vulnerability from causing security issues.

Versions 9..-M11 through 9..43

Users are recommended to upgrade to version 8.5.64 onwards or 9..44 onwards, which contain a fix for the issue.

Exploit Details

The vulnerability exploits a weakness in Apache Tomcat's error handling mechanism. When an error occurs, the server generates an error message which, in this case, contains sensitive information. The attacker can then interact with the error message to obtain sensitive information about the underlying server, potentially compromising the privacy and security of the system.

Here's a code snippet that demonstrates the generation of error messages containing sensitive information:

try {
    // ... perform some action that may throw an exception ...
} catch(Exception e) {
    logger.error("An error occurred: " + e.getMessage(), e);
}

Steps to Exploit

1. The attacker sends specially crafted requests to the targeted web application running on an affected version of Apache Tomcat.
2. In case of an error, the server generates an error message with sensitive information, which is exposed in logs or visible to users.
3. The attacker extracts the sensitive information from the error message and uses it to exploit further security vulnerabilities or conduct other malicious activities.

Upgrade Apache Tomcat to version 8.5.64 or later, or 9..44 or later.

- Configure logging levels to only log necessary information and avoid exposing sensitive information in logs.
- Consider implementing a custom error handler to generate custom error messages, which do not expose sensitive information.

For further information on CVE-2024-21733, please refer to the following original references

1. Apache Tomcat Security Advisory - CVE-2024-21733
2. Apache Software Foundation - Generation of Error Message Containing Sensitive Information Vulnerability
3. CVE Details - CVE-2024-21733

Conclusion

CVE-2024-21733 poses a threat to the security and privacy of systems running affected versions of Apache Tomcat. By generating error messages that contain sensitive information, this vulnerability has the potential to expose systems to unauthorized access and malicious activities. To safeguard systems from these attacks, users should upgrade to a secure version of Apache Tomcat and ensure that error messages do not expose sensitive information to unauthorized users.

Timeline

Published on: 01/19/2024 11:15:08 UTC
Last modified on: 02/01/2024 17:15:10 UTC