Note: This Emerging Threat is also published in the new Fortra Security & Trust Center - the new location for all Emerging Threats beginning in January 2025. Refer to Emerging Threats Moving to Fortra.com for more information on following Emerging Threats in their new location.
Fortra is actively researching critical vulnerabilities in Apache Tomcat – CVE-2024-50379 and CVE-2024-56337. An incomplete patch of CVE-2024-50379 could result in code execution on case-insensitive file systems when the default servlet is enabled for write. Users are recommended to update Tomcat installations to the latest secure version to fully mitigate these vulnerabilities.
Who is affected?
Apache Tomcat is vulnerable on the following versions:
- 11.0.0-M1 to 11.0.1
- 10.1.0-M1 to 10.1.33
- 9.0.0.M1 to 9.0.97
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialization parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.
What can I do?
Update Tomcat installations to the latest secure versions.
- Apache Tomcat 11.0.2 or later
- Apache Tomcat 10.1.34 or later
- Apache Tomcat 9.0.98 or later
The following additional steps can be taken depending on the Java version used with Tomcat.
- Java 8 or Java 11: Explicitly set the system property sun.io.useCanonCaches to false.
- Java 17: Ensure the system property sun.io.useCanonCaches, if set, is set to false.
- Java 21 and later: No further action is required.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Alert Logic Network IDS: Alert Logic has deployed updated IDS signatures to include detection of CVE-2024-56337.
Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on December 27, 2024, to identify vulnerable instances, followed by authenticated and agent-based scan coverage on December 30, 2024.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
12/26/2024: Alert Logic deployed updated IDS signatures to include detection of CVE-2024-56337.
12/27/2024: Alert Logic released unauthenticated scan coverage to identify vulnerable instances.
12/30/2024: Alert Logic released authenticated and agent-based scan coverage to identify vulnerable instances.
Comments
0 comments
Please sign in to leave a comment.