A critical vulnerability in Apache Tomcat allows remote code execution. The Apache Foundation released a security update last week, but it did not appear to completely solve the problem, and a new patch has now been made available. Tomcat is software for running a web server. Last Tuesday, the Apache Foundation warned about a vulnerability referred to as CVE-2024-50379.
When Tomcat is running on a case insensitive file system with the default servlet write enabled, it is possible to upload files and bypass Tomcat checking, which can lead to remote code execution. The impact of this vulnerability has been rated 9.8 by the American cyber agency CISA on a scale of 1 to 10.
However, the update released by the Apache Foundation turned out to be incomplete, and a new CVE number was assigned, namely CVE-2024-56337. According to the Apache Foundation, systems running the aforementioned configuration, which is not a default configuration, will need to make additional adjustments depending on the Java version in use.
In short:
Key Aspect | Details |
---|---|
Vulnerability Name | CVE-2024-50379 and CVE-2024-56337 |
Severity Rating | 9.8 (out of 10) by CISA |
Affected Software | Apache Tomcat |
Issue Description | Allows remote code execution via file upload bypass |
Recommended Action | Apply the new patch and configure systems as necessary |