Afonso Infante's Cybersecurity Blog

Demystifying Cybersecurity: Insights from an Industry Expert

Deep Dive into CVE-2024-50379: A Critical Vulnerability in Apache Tomcat

Apache Tomcat, a widely-used open-source web server and servlet container, was recently found to have a critical vulnerability, designated as CVE-2024-50379. This vulnerability allows attackers to execute arbitrary code on affected systems, potentially leading to severe consequences such as data breaches, system compromise, and service disruption1. This blog post delves into the technical details of CVE-2024-50379, exploring its root cause, potential impact, and real-world exploit scenarios. It also provides comprehensive recommendations for mitigation and prevention to help organizations protect their systems from this critical threat.

Understanding CVE-2024-50379

CVE-2024-50379 is classified as a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability that occurs during JSP compilation in Apache Tomcat2. This type of vulnerability arises when a system’s security checks and the actual use of a resource are not performed atomically, creating a window of opportunity for attackers to exploit. This vulnerability is particularly dangerous on systems like Windows that have case-insensitive file systems4. In the case of CVE-2024-50379, the vulnerability occurs when Tomcat is configured to run on a case-insensitive file system with the default servlet’s write functionality enabled3.

Affected Versions and Available Patches

The following table shows the versions of Apache Tomcat affected by CVE-2024-50379 and the corresponding patched versions:

Affected Version RangePatched Version
11.0.0-M1 through 11.0.111.0.2 or later
10.1.0-M1 through 10.1.3310.1.34 or later
9.0.0.M1 through 9.0.979.0.98 or later

Technical Details and Exploitation

The root cause of CVE-2024-50379 lies in the interaction between Tomcat’s JSP compilation process and case-insensitive file systems. When a JSP file is requested, Tomcat checks if the file exists and if it is safe to compile. However, on case-insensitive file systems, an attacker can exploit the time gap between the check and the compilation by uploading a malicious JSP file with a different case. This malicious file can then be executed by Tomcat, leading to remote code execution4.

To better understand this vulnerability, let’s break down the exploitation process step-by-step:

  1. Initial Check: Tomcat receives a request for a JSP file (e.g., “file.jsp”) and checks if it exists on the server.
  2. Vulnerability Window: There is a brief moment between Tomcat’s check and the actual compilation of the JSP file.
  3. Exploitation: An attacker exploits this window by quickly uploading a malicious JSP file with a different case (e.g., “FILE.JSP”). Due to the case-insensitive file system, this overwrites the original “file.jsp”.
  4. Code Execution: Tomcat, unaware of the replacement, proceeds to compile and execute the malicious “FILE.JSP”, granting the attacker control4.

Additional technical articles highlight that this vulnerability arises from a race condition where multiple threads attempt to access and modify shared data simultaneously5. The outcome of this race condition depends on the unpredictable order in which these threads execute, creating an opportunity for attackers to manipulate the file system and execute malicious code6.

To successfully exploit this vulnerability, an attacker needs to meet certain conditions:

  • The Tomcat server must be running on a case-insensitive file system.
  • The default servlet’s readonly initialization parameter must be set to false, which enables write access. This is a non-default configuration, which reduces the vulnerability’s attack surface7.
  • The application must be under load, with concurrent read and upload operations occurring on the same file7.

While these conditions may not always be present, the potential impact of CVE-2024-50379 is significant, making it crucial for organizations to take appropriate mitigation measures.

Potential Impact

CVE-2024-50379 has a CVSS v3.1 score of 9.8, indicating a critical severity level8. If exploited, this vulnerability could allow attackers to:

  • Execute arbitrary code on the affected system.
  • Gain complete control of the server.
  • Steal sensitive data.
  • Disrupt services.
  • Install malware.
  • Launch further attacks on other systems within the network9.

If this vulnerability is exploited, an attacker can execute arbitrary code on the affected system, potentially leading to a complete compromise of the system10. The impact of this vulnerability can be particularly severe for organizations that handle sensitive data or rely on Tomcat for critical business operations.

Real-World Examples of Exploitation

While there are no widely reported cases of active exploitation of CVE-2024-50379 in the wild at the time of writing, the potential for exploitation is high1. Proof-of-concept exploits are publicly available, demonstrating the feasibility of exploiting this vulnerability9. It is therefore essential for organizations to proactively address this vulnerability to prevent potential attacks.

Recommendations for Mitigation and Prevention

To mitigate the risk posed by CVE-2024-50379, organizations should implement the following recommendations:

1. Upgrade to Patched Versions

The most effective mitigation strategy is to upgrade to the latest patched versions of Apache Tomcat. This ensures that the vulnerability is addressed and prevents potential exploitation3.

2. Disable Default Servlet Write Access

If upgrading is not immediately feasible, organizations should disable the default servlet’s write access by setting the readonly initialization parameter to true in the web.xml file. This prevents attackers from exploiting the vulnerability by uploading malicious files7.

3. Configure Java System Properties

For systems running older Java versions (Java 8 or Java 11), it is crucial to set the system property sun.io.useCanonCaches to false. This mitigates a related vulnerability (CVE-2024-56337) that can be chained with CVE-2024-50379 to achieve remote code execution4. For Java 17, ensure that sun.io.useCanonCaches is set to false if explicitly configured. No additional action is needed for Java 21 or later3.

4. Monitor Logs and Network Traffic

Organizations should continuously monitor their server logs and network traffic for any suspicious activity. This can help detect potential exploitation attempts and enable timely response5.

5. Implement Security Best Practices

In addition to the specific recommendations for CVE-2024-50379, organizations should adhere to general security best practices, such as:

  • Regularly updating software to the latest versions.
  • Implementing strong passwords and access controls.
  • Using firewalls and intrusion detection systems.
  • Conducting regular security assessments and penetration testing.

By implementing these recommendations, organizations can significantly reduce their risk of being affected by CVE-2024-50379 and other vulnerabilities.

Conclusion

CVE-2024-50379 is a critical vulnerability in Apache Tomcat that can have severe consequences if exploited. Organizations should take immediate action to mitigate this vulnerability by upgrading to patched versions, disabling default servlet write access, configuring Java system properties, monitoring logs and network traffic, and implementing security best practices. By proactively addressing this threat and staying informed about security threats, organizations can protect their systems and data from potential attacks and ensure the ongoing security of Tomcat deployments.

Works cited

1. WARNING: CRITICAL RCE VULNERABILITY IN APACHE TOMCAT, CVE-2024-50379, PATCH IMMEDIATELY!! | Cert, accessed December 26, 2024, https://www.cert.be/de/advisory/warning-critical-rce-vulnerability-apache-tomcat-cve-2024-50379-patch-immediately

2. Deep Dive & POC of CVE-2024-50379 Exploit Tomcat Vulnerability …, accessed December 26, 2024, https://medium.com/@patelvidhi4288/deep-dive-poc-of-cve-2024-50379-exploit-tomcat-vulnerability-9-8-severity-776cfcfcf3ed

3. CVE-2024-50379: New Critical Vulnerability in Apache Tomcat – Vulcan Cyber, accessed December 26, 2024, https://vulcan.io/blog/how-to-fix-cve-2024-50379/

4. CVE-2024-50379: A Critical Race Condition in Apache Tomcat – Mend.io, accessed December 26, 2024, https://www.mend.io/blog/cve-2024-50379-a-critical-race-condition-in-apache-tomcat/

5. CVE-2024-50379: Apache Tomcat Remote Code Execution Vulnerability – SecPod Blog, accessed December 26, 2024, https://www.secpod.com/blog/cve-2024-50379-apache-tomcat-remote-code-execution-vulnerability/

6. Apache Tomcat Conditional Competition Code Execution Vulnerability (CVE-2024-50379) – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks., accessed December 26, 2024, https://nsfocusglobal.com/apache-tomcat-conditional-competition-code-execution-vulnerability-cve-2024-50379/

7. CVE-2024-50379 – Red Hat Customer Portal, accessed December 26, 2024, https://access.redhat.com/security/cve/cve-2024-50379

8. CVE-2024-50379 Detail – NVD, accessed December 26, 2024, https://nvd.nist.gov/vuln/detail/CVE-2024-50379

9. CVE-2024-50379 – Exploits & Severity – Feedly, accessed December 26, 2024, https://feedly.com/cve/CVE-2024-50379

10. Apache Tomcat vulnerability CVE-2024-50379 – Esri Community, accessed December 26, 2024, https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1569975

Leave a Reply

Your email address will not be published. Required fields are marked *