Critical TOCTOU Vulnerability Discovered in Apache Tomcat

A critical vulnerability, CVE-2024-50379, has been identified in Apache Tomcat. This vulnerability allows for Remote Code Execution (RCE) due to a Time-of-Check Time-of-Use (TOCTOU) race condition during JSP compilation.

The vulnerability primarily affects environments where Apache Tomcat is deployed on case-insensitive file systems (e.g., Windows, macOS with certain configurations) and the default servlet is configured with write permissions. Although this setup is not default, it may exist in customized configurations, increasing the attack surface for malicious actors.

Affected Versions

This vulnerability impacts the following versions of Apache Tomcat:

• 11.0.0-M1 to 11.0.1
• 10.1.0-M1 to 10.1.33
• 9.0.0.M1 to 9.0.97

Exploit Details

The root cause of this vulnerability lies in the mishandling of concurrent read and write operations to JSP files, leveraging TOCTOU flaws. Attackers can exploit this vulnerability to upload malicious JSP files and execute arbitrary commands on the affected server.

While there are currently no confirmed reports of active exploitation in the wild, publicly available Proof of Concept (PoC) exploits demonstrate how attackers can exploit this flaw with minimal effort, making patching a high priority.

Proof of Concept Exploits and Risk Assessment

Although no active exploitation has been detected in the wild so far, Proof of Concept (PoC) exploits for this vulnerability are already available publicly. These PoCs provide attackers with step-by-step methods to exploit the race condition, highlighting the ease of exploitation if a vulnerable setup exists.

Despite the absence of an official CVSS score from trusted platforms like the National Vulnerability Database (NVD), this vulnerability is widely expected to be classified as important or critical due to its potential to enable Remote Code Execution (RCE) with minimal prerequisites. Organizations should treat this as a high-priority issue and address it promptly.

Am I at Risk?

To determine if your systems are at risk, consider the following:

• Operating System:
  • Are you running Apache Tomcat on a case-insensitive file system, such as Windows or certain macOS setups

• Servlet Configuration:
  • Does your default servlet have write permissions enabled? This is not a default setting but may be configured in some environments.
• Version:
  • Are you using one of the affected Apache Tomcat versions listed above?

If you answered "yes" to any of these questions, your systems may be vulnerable and require immediate attention.

Mitigation Steps

To protect your systems, follow these steps:

• Upgrade Apache Tomcat:
  • Upgrade to one of the patched versions:
    • 11.0.2
    • 10.1.34
    • 9.0.98
      
• Check System Configuration:
  • Disable write permissions for the default servlet unless explicitly required.
  • Review file system configurations to ensure they are case-sensitive whenever possible.
• Java System Properties:
  • For Java 8 or Java 11, set the property:
    • -Dsun.io.useCanonCaches=false
  • No action is needed for Java 17 or later unless sun.io.useCanonCaches is explicitly configured.
• Monitor for Exploitation Attempts:
  • Implement logging and monitoring solutions to detect unauthorized file uploads or suspicious activity.
• Limit Exposure:
  • Restrict access to critical directories and disable unused Tomcat components to reduce the attack surface.

Conclusion

CVE-2024-50379 poses a significant risk to vulnerable Apache Tomcat deployments. While no active exploitation has been confirmed, the availability of PoC exploits underscores the urgency of addressing this flaw.

Ensure you update your Apache Tomcat installations to the latest version and review your system configurations to mitigate risks. By taking proactive steps, you can safeguard your systems from potential exploitation and maintain a secure environment.

For more detailed guidance, refer to the official Apache Tomcat Security Advisory and the National Vulnerability Database entry.