CyberSecurity news
FlagThis
@securityboulevard.com
//
A critical security vulnerability, identified as CVE-2024-50379, has been disclosed in the Apache Tomcat web server. This flaw exposes the platform to remote code execution (RCE) due to a Time-of-Check to Time-of-Use (TOCTOU) race condition during JSP compilation. The vulnerability stems from a timing issue where Tomcat checks if a JSP file is safe to compile, but a small window exists for an attacker to modify the file before it is actually used. This allows malicious JSP files to be uploaded and executed on the server if certain conditions are met.
The vulnerability is specifically exploitable on case-insensitive file systems, such as Windows, and if the default servlet is configured to allow write operations. An attacker could take advantage of this by quickly uploading a malicious JSP file with a different case before it’s compiled by Tomcat, thus executing the malicious code. Patches for this vulnerability are available in Apache Tomcat versions 11.0.2, 10.1.34, and 9.0.98 and later. Users of affected versions are urged to upgrade to these versions to mitigate this risk. The vulnerability has a severity rating of 9.8, highlighting the critical nature of the issue.
ImgSrc: securitybouleva
References :
The vulnerability is specifically exploitable on case-insensitive file systems, such as Windows, and if the default servlet is configured to allow write operations. An attacker could take advantage of this by quickly uploading a malicious JSP file with a different case before it’s compiled by Tomcat, thus executing the malicious code. Patches for this vulnerability are available in Apache Tomcat versions 11.0.2, 10.1.34, and 9.0.98 and later. Users of affected versions are urged to upgrade to these versions to mitigate this risk. The vulnerability has a severity rating of 9.8, highlighting the critical nature of the issue.
ImgSrc: securitybouleva
Share:
References :
- : Apache Tomcat security advisory 17 December 2024 (9.8 critical) RCE (remote code execution) due to TOCTOU (time-of-check to time-of-use) issue in JSP compilation. No mention of exploitation.
- securityboulevard.com: CVE-2024-50379: A Critical Race Condition in Apache Tomcat
- www.mail-archive.com: Apache Tomcat security advisory 17 December 2024 (9.8 critical) RCE (remote code execution) due to TOCTOU (time-of-check to time-of-use) issue in JSP compilation.
- The Hacker News: The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.
- securityaffairs.com: The Apache Software Foundation fixed a Tomcat server software flaw that could lead to remote code execution under certain conditions.
- securityonline.info: The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337.
- BleepingComputer: Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution.
- www.bleepingcomputer.com: Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution.
- ciso2ciso.com: Apache Foundation fixed a severe Tomcat vulnerability – Source: securityaffairs.com
Classification:
- HashTags: #ApacheTomcat #RCE #Vulnerability
- Company: Apache
- Target: Apache Tomcat Servers
- Product: Apache Tomcat
- Feature: TOCTOU
- Type: Vulnerability
- Severity: Critical