Overview of CVE-2024-50379 and CVE-2024-56337 in Tomcat and TomEE
You may have noticed a couple of new CVEs in Tomcat recently – CVE-2024-50379 and CVE-2024-56337. This vulnerability is rated as “important”, and could lead to remote code execution (RCE), if exploited. As TomEE is built using Tomcat, this will also be an issue for TomEE users.
Let’s take a closer look so you can understand the impact and check whether your Tomcat/TomEE configuration may be affected.
Detailed Analysis of the Vulnerability and Its Impact
From the CVE description:
“If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.”
The default servlet in Tomcat will serve resources from the application, where it is deployed on the file system. It is mapped to “/” in ${CATALINA_HOME}/conf/web.xml:
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
Where a URL is accessed, and no other servlet mapping URL pattern matches, the default servlet will service that request. As a simple example, if you create a webapp that is empty except for a index.html file, Tomcat’s DefaultServlet will serve that file.
The Default servlet also has the ability to allow PUT requests to upload files, but this is not enabled by default.
Where the ability to upload files has been enabled, there’s a concurrency issue where a case-sensitivity check may not happen correctly. For example the Default servlet might be used to PUT INDEX.JSP, and the JSP servlet (mapped to “*.jsp” and “*.jspx”) may serve that file for a GET index.jsp request (note the different cases in the two requests). It is not possible to simply PUT index.jsp, as this would be handled by the JspServlet, which does not allow PUTs to write JSP files to the server, as that would be an obvious security flaw.
Java itself has a file canonicalization cache, which caches canonical file name lookups for 30 seconds, as a performance enhancement. This cache is on by default in Java up to Java 12 (where the default was changed to false), and removed completely in Java 21.
Assessing Your Risk: Are You Affected by These CVEs?
The community-supported versions affected are:
- Apache Tomcat 9.0.x – 9.0.97
- Apache Tomcat 10.1.x – 10.1.33
- Apache Tomcat 11.0.x – 11.0.1
- Apache TomEE 9.x – 9.1.3
Our security team has confirmed these EOL Tomcat and TomEE versions are also affected. Don’t hesitate to contact us if you are interested in patched binaries for these unsupported versions.
- Apache Tomcat 10.0.x – 10.0.27
- Apache Tomcat 8.5.x – 8.5.100
- Apache TomEE 7.0.x – 7.0.9
- Apache TomEE 7.1.x – 7.1.4
- Apache TomEE 8.0.x – 8.0.16
As stated in the advisory, your Tomcat or TomEE install would only be affected if:
- You are running on a case-insensitive filesystem (e.g. Windows) and:
- You have the “readonly” servlet parameter set to “false” on the Default servlet, for example:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet> Mitigation Strategies for CVE-2024-50379 and CVE-2024-56337
- Check your DefaultServlet <init-param> settings. Be sure to do this in
${CATALINA_HOME}/conf/web.xml:, but also check your applications, in case you have also explicitly used DefaultServlet there too. - Update to the latest available Tomcat/TomEE versions with this issue patched.
- Set the system property sun.io.useCanonCaches to false (default is true on Java <12) Java 12 and above set this to false by default (https://bugs.openjdk.org/browse/JDK-8207005) and removed.
Tomitribe provides support services for Tomcat and TomEE, which include patched binaries to mitigate security issues – please reach out to us to discuss your needs.
