CVE-2024-54677 - Uncontrolled Resource Consumption Vulnerability in Apache Tomcat Examples Web Application Leads to Denial of Service

Recently discovered security vulnerability CVE-2024-54677 in the examples web application provided with Apache Tomcat can cause uncontrolled resource consumption, ultimately resulting in a denial of service (DoS) attack. This post aims to provide valuable information regarding this vulnerability, including affected versions, how it can be exploited, and how to resolve it.

From 9...M1 to 9.9.97

If you are using any of these versions, it is crucial to upgrade to a newer version to protect yourself from potential exploits.

Technical Details

The vulnerability lies in the manner in which the examples web application provided with Apache Tomcat handles user-supplied input. Attackers can exploit the uncontrolled resource consumption vulnerability by submitting specially-crafted requests to the server, ultimately causing the server to consume an excessive amount of system resources (e.g., memory or CPU). Here's a code snippet illustrating the vulnerability:

public class ResourceConsumptionVulnerability {
    public void processRequest(Request request) {
        String userInput = request.getParameter("userInput");
        // Vulnerable code: uncontrolled resource consumption occurring here
        consumeResources(userInput);
    }

    private void consumeResources(String input) {
        //...
    }
}

Exploit Details

An attacker could exploit this vulnerability by sending a request with a large payload or a series of requests with smaller payloads, leading to uncontrolled resource consumption and eventually a denial of service. The attacker may use tools, such as cURL or BURP Suite, to modify the HTTP request payload or header fields to exploit this vulnerability.

How to Resolve the Issue

Users are highly recommended to upgrade their Apache Tomcat installations to the following versions, which contain a fix for the CVE-2024-54677 vulnerability:

The relevant downloads to the fixed versions are available on the official Apache Tomcat website

- Apache Tomcat 11..2 Download
- Apache Tomcat 10.1.34 Download
- Apache Tomcat 9..98 Download

Conclusion

CVE-2024-54677 is a critical security vulnerability affecting certain versions of Apache Tomcat, leading to uncontrolled resource consumption and potential denial of service. Users are urged to immediately upgrade their Apache Tomcat installations to a safe version to prevent any potential exploitation of this vulnerability.

Timeline

Published on: 12/17/2024 13:15:18 UTC
Last modified on: 12/18/2024 17:15:14 UTC