2024-12-27 08:11:13 Pacfic
Apache Tomcat RCE vulnerability disclosed - 7d
A critical security vulnerability, identified as CVE-2024-50379, has been disclosed in the Apache Tomcat web server. This flaw exposes the platform to remote code execution (RCE) due to a Time-of-Check to Time-of-Use (TOCTOU) race condition during JSP compilation. The vulnerability stems from a timing issue where Tomcat checks if a JSP file is safe to compile, but a small window exists for an attacker to modify the file before it is actually used. This allows malicious JSP files to be uploaded and executed on the server if certain conditions are met.
The vulnerability is specifically exploitable on case-insensitive file systems, such as Windows, and if the default servlet is configured to allow write operations. An attacker could take advantage of this by quickly uploading a malicious JSP file with a different case before it’s compiled by Tomcat, thus executing the malicious code. Patches for this vulnerability are available in Apache Tomcat versions 11.0.2, 10.1.34, and 9.0.98 and later. Users of affected versions are urged to upgrade to these versions to mitigate this risk. The vulnerability has a severity rating of 9.8, highlighting the critical nature of the issue.
ImgSrc: securityboulevard.com
References:
- @screaminggoat - Apache Tomcat security advisory 17 December 2024 (9.8 critical) RCE (remote code execution) due to TOCTOU (time-of-check to time-of-use) issue in JSP compilation. No mention of exploitation. - 7d
- Security Boulevard - CVE-2024-50379: A Critical Race Condition in Apache Tomcat - 7d
- www.mail-archive.com - Apache Tomcat security advisory 17 December 2024 (9.8 critical) RCE (remote code execution) due to TOCTOU (time-of-check to time-of-use) issue in JSP compilation. - 7d
Classification:
- HashTags: ApacheTomcat RCE Vulnerability
- Company: Apache
- Target: Apache Tomcat Servers
- Product: Apache Tomcat
- Feature: TOCTOU
- Type: Vulnerability
- Severity: Critical