A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability has been discovered in Apache Tomcat that can potentially be exploited by malicious users resulting in unintended access or modification of files. This vulnerability affects multiple Tomcat versions listed below:
Apache Tomcat 9...M1 through 9..97
In addition, the vulnerability mitigation provided for CVE-2024-50379 in earlier versions of Tomcat has been found to be incomplete. As a result, this post will provide further details on the vulnerability, the affected versions, and proposed mitigation steps.
Vulnerability Details
The Time-of-check-Time-of-use (TOCTOU) Race Condition vulnerability occurs due to the way Apache Tomcat handles file systems that are case-insensitive. Specifically, the vulnerability impacts the default servlet where the readonly initialization parameter is set to the non-default value of false.
When running Tomcat on a case insensitive file system with the default servlet write enabled, additional configuration might be required to fully mitigate CVE-2024-50379 depending on which version of Java is being used with Tomcat:
- For Java 8 or Java 11: The system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- For Java 17: The system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- For Java 21 onwards: No further configuration is required (the system property and the problematic cache have been removed)
The upcoming versions of Tomcat including 11..3, 10.1.35, and 9..99 will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case-insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Code Snippet
Consider the following code snippet to set the sun.io.useCanonCaches properly in a Java application:
public static void main(String[] args) {
System.setProperty("sun.io.useCanonCaches", "false");
// Launch your application here
}
Alternatively, you can set it as a JVM argument at startup
java -Dsun.io.useCanonCaches=false -jar yourapp.jar
Original References
- Apache Tomcat Security Advisory: http://tomcat.apache.org/security.html
- Apache Tomcat Versions: http://tomcat.apache.org/whichversion.html
- CVE-2024-50379: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
- CVE-2024-56337: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337
Conclusion
In order to ensure the security of your Apache Tomcat installations, it is important to assess your systems for the presence of the CVE-2024-56337 vulnerability and implement the appropriate mitigation as mentioned above. Keep your Tomcat installations updated to the latest versions and continually monitor any new security advisories.
Timeline
Published on: 12/20/2024 16:15:24 UTC