New Vulnerabilities in Apache Tomcat Could Enable Remote Code Execution
Two new critical vulnerabilities have been identified in the popular open-source web server and servlet container Apache Tomcat. These vulnerabilities could allow attackers to perform remote code execution (RCE) and denial-of-service (DoS) attacks.
The Apache Software Foundation has released patches to address these security issues and strongly advises users to update their systems immediately.
Details of the Vulnerabilities
- CVE-2024-50379: Remote Code Execution (RCE)
This vulnerability is rated as “Critical” and affects the following versions of Apache Tomcat:
- Apache Tomcat versions 11.0.0-M1 through 11.0.1;
- Apache Tomcat versions 10.1.0-M1 through 10.1.33;
- Apache Tomcat versions 9.0.0.M1 through 9.0.97.
The vulnerability stems from flaws in Tomcat’s integrity checks. If servlets are configured with write permissions by default and the file system is case-insensitive, attackers could exploit a race condition between upload and read processes. This may result in uploaded files being treated as JSP files, which can then enable remote code execution.
- CVE-2024-54677: Denial of Service (DoS)
This vulnerability is rated as “Low” severity but can still pose a significant risk. It affects the same versions of Apache Tomcat and can facilitate denial-of-service attacks.
The issue arises from a flaw in the sample web applications provided with Tomcat. These applications lack a mechanism to limit the size of uploaded data. Consequently, uploading large amounts of data can lead to an “OutOfMemoryError,” causing the service to crash.
However, by default, Tomcat’s sample applications are only accessible via localhost, which somewhat limits the attack surface.
The Apache Software Foundation recommends upgrading to the following versions to address both vulnerabilities:
- Apache Tomcat 11.0.2 or later;
- Apache Tomcat 10.1.34 or later;
- Apache Tomcat 9.0.98 or later.
Updating to these versions will significantly enhance the security of Tomcat installations. Organizations using affected versions should apply these updates as soon as possible.
The discovery of these vulnerabilities highlights the importance of regular security audits for web server environments and timely application of patches. Since Apache Tomcat is widely used in corporate environments, the impact of these vulnerabilities could be substantial.
IT administrators and security professionals should immediately review their Tomcat installations and apply the necessary updates. Although the Apache Software Foundation has quickly addressed these issues, this incident serves as a reminder of the ongoing challenges in maintaining security within complex software ecosystems.
