Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Apache Foundation fixed a severe Tomcat vulnerability

The Apache Software Foundation fixed a Tomcat server software flaw that could lead to remote code execution under certain conditions. The Apache Software Foundation (ASF) addressed an important vulnerability, tracked as CVE-2024-56337, in its Tomcat server software. The researchers warn that exploiting this vulnerability could result in remote code execution under certain conditions. Apache Tomcat […]

Apache Tomcat application server

The Apache Software Foundation fixed a Tomcat server software flaw that could lead to remote code execution under certain conditions.

The Apache Software Foundation (ASF) addressed an important vulnerability, tracked as CVE-2024-56337, in its Tomcat server software. The researchers warn that exploiting this vulnerability could result in remote code execution under certain conditions.

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages (JSP), Jakarta Expression Language, and WebSocket technologies. It is developed by the Apache Software Foundation and is widely used as a web server and servlet container for running Java-based web applications.

The flaw is a TOCTOU race condition issue in Apache Tomcat that affects versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. The vulnerability is due the incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8).

“Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat.” reads the advisory.

The CVE-2024-50379 mitigation was incomplete, requiring configuration based on Java version:

  • Java 8/11: Set sun.io.useCanonCaches to false (default is true).
  • Java 17: Ensure sun.io.useCanonCaches is false (default is false).
  • Java 21+: No configuration needed (property removed).

From Tomcat 11.0.3, 10.1.35, and 9.0.99 onward, checks will enforce proper configuration of sun.io.useCanonCaches.

Security researchers Nacl, WHOAMI, Yemoli, and Ruozhi discovered both vulnerabilities. Dawu and Sunflower of the KnownSec 404 Team independently reported this vulnerability, providing a detailed proof-of-concept.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Tomcat)