Apache Tomcat Conditional Competition Code Execution Vulnerability (CVE-2024-50379)

Apache Tomcat Conditional Competition Code Execution Vulnerability (CVE-2024-50379)

dezembro 19, 2024 | NSFOCUS

Overview

Recently, NSFOCUS CERT detected that Apache issued a security announcement, fixing the Apache Tomcat conditional competition code execution vulnerability (CVE-2024-50379). Due to the inconsistency between Windows file system and Tomcat in case-distinguishing processing of paths, when the write function of default servlet is enabled (set readonly=false and allow PUT method), unauthenticated attackers can construct a special path to bypass Tomcat’s path verification mechanism. Through conditional competition, they continuously send requests for uploading files containing malicious JSP codes to trigger Tomcat to parse and execute them. This enables remote code execution. The CVSS rating is 9.8, and PoC has been made public. Relevant users are advised to take measures for protection as soon as possible.

Reference link: https://www.mail-archive.com/announce@apache.org/msg09703.html

Scope of Impact

Affected version

  • 11.0.0-M1 <= Apache Tomcat <= 11.0.1
  • 10.1.0-M1 <= Apache Tomcat <= 10.1.33
  • 9.0.0.M1 <= Apache Tomcat <= 9.0.97

Note: It only affects enabling the PUT request method in Windows systems and setting the readonly initialization parameter to a non-default value of false.

Unaffected Version

  • Apache Tomcat >= 11.0.2
  • Apache Tomcat >= 10.1.34
  • Apache Tomcat >= 9.0.98

Detection

Manual detection

The name of the installation package downloaded from the Apache Tomcat official website contains the version number of Tomcat. If you do not change the directory name of Tomcat after decompression, you can check the folder name to determine the current version.

If the Tomcat directory name after decompression has been modified or is installed using Windows Service Installer, you can use the built-in version module to obtain the current version. You can also enter the bin directory of the Tomcat installation directory and run version.bat (Linux running version.sh) to view the current software version number.

If this version is within the affected range, check whether the PUT method is enabled in the conf\web.xml file. Open the web.xml file, and if readonly is set to false in org.apache.catalina.servlets.DefaultServlet, there is a vulnerability risk.

Mitigation

Official upgrade

At present, a new version has been officially released to fix this vulnerability. Please upgrade the affected version as soon as possible for protection.

Download link:

https://tomcat.apache.org/download-11.cgi

https://tomcat.apache.org/download-10.cgi

https://tomcat.apache.org/download-90.cgi

Temporary measures

If relevant users cannot upgrade temporarily, the following measures can also be taken for temporary relief:

1. On the premise of not affecting services, relevant users can set the readonly parameter in the conf/web.xml file to true or make comments

2. Disable the PUT method and restart Tomcat service to make the configuration take effect.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.