Two newly discovered vulnerabilities in Apache Tomcat, the widely used open-source web server and servlet container, could enable remote code execution and denial of service (DoS) attacks. The Apache Software Foundation has released patches and strongly advises users to update immediately to secure their systems.
1. CVE-2024-50379:
* Severity: Important
* Affected Versions: Apache Tomcat 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97
* Impact: Remote Code Execution
* Details: This flaw stems from a race condition during concurrent read and upload operations. If the default servlet is configured with write permissions on a case-insensitive file system, attackers can bypass case-sensitivity checks. This may result in uploaded files being interpreted as JSPs, leading to remote code execution.
2. CVE-2024-54677:
* Severity: Low
* Affected Versions: Same as CVE-2024-50379
* Impact: Denial of Service (DoS)
* Details: The vulnerability arises from the sample web applications bundled with Tomcat, which lack adequate limits on uploaded data sizes. This can cause an OutOfMemoryError, resulting in a denial of service. However, the default configuration restricts access to these examples from localhost, reducing the attack surface.
The Apache Software Foundation has released patched versions to address these vulnerabilities. Affected users should immediately upgrade to:
* Apache Tomcat 11.0.2 or later
* Apache Tomcat 10.1.34 or later
* Apache Tomcat 9.0.98 or later
These updates mitigate the vulnerabilities and enhance overall security.
Key Takeaways
* Security researchers Elysee Franchuk, Nacl, WHOAMI, Yemoli, and Ruozhi, alongside the Tomcat security team, are credited with discovering these flaws.
* Organizations using affected versions of Apache Tomcat should prioritize updates to prevent exploitation.
* The vulnerabilities highlight the importance of regular security audits, timely patching, and adhering to best practices in maintaining secure web server environments.
While the Apache Software Foundation acted swiftly, the incident serves as a reminder of the challenges in securing complex software ecosystems. IT administrators and security teams must stay vigilant, routinely review deployments, and promptly address vulnerabilities to safeguard their systems.
