A vulnerability has been discovered in Apache Tomcat, identified as CVE-2024-52316, that could potentially allow users to bypass the authentication process when a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component is used. This post aims to provide details about the vulnerability, affected versions, and recommended steps to mitigate the security risk.
Background
Apache Tomcat is a widely used open-source web server and servlet container that implements several Java specifications such as JavaServer Pages (JSP), Java Expression Language, and WebSocket. Jakarta Authentication, previously known as JASPIC, is a Java EE standard API for HTTP authentication.
Vulnerability Details
The vulnerability specifically affects situation when Apache Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure. In such cases, the authentication may not fail as expected, allowing the user to bypass the authentication process and access protected resources. It is important to note that there are no known Jakarta Authentication components that behave in this way.
From 9..-M1 through 9..95
Fix:
The issue has been fixed in the following Apache Tomcat versions, and users are recommended to upgrade to these versions to address the vulnerability:
For more information on this vulnerability, you can refer to the following sources
- CVE-2024-52316
- Apache Tomcat Security Advisory
Code Snippet
Below is a code snippet demonstrating a vulnerable custom ServerAuthContext component that does not set an HTTP status when an exception is thrown during the authentication process:
public class VulnerableServerAuthContext implements ServerAuthContext {
// ...
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
Subject serviceSubject) throws AuthException {
try {
// ...
// Perform authentication
// ...
} catch (Exception e) {
// Vulnerable: an exception is thrown but no HTTP status is set
throw new AuthException("Authentication failed", e);
}
}
}
To address the vulnerability, make sure that the custom ServerAuthContext component sets an appropriate HTTP status in case of an exception:
public class SecureServerAuthContext implements ServerAuthContext {
// ...
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject,
Subject serviceSubject) throws AuthException {
try {
// ...
// Perform authentication
// ...
} catch (Exception e) {
// Set an appropriate HTTP status
messageInfo.getMap().put("javax.servlet.http.authType", "AUTH-FAILURE");
throw new AuthException("Authentication failed", e);
}
}
}
Conclusion
To mitigate CVE-2024-52316 vulnerability in Apache Tomcat, users are advised to upgrade to the fixed versions (11.., 10.1.31, or 9..96) as soon as possible. Additionally, when using custom Jakarta Authentication ServerAuthContext components, ensure that appropriate HTTP statuses are set in the authentication process to avoid unintentional bypasses of the authentication process.
Timeline
Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/18/2024 17:11:17 UTC