csaf_certbund - wid-sec-w-2024-3744

wid-sec-w-2024-3744

Vulnerability from csaf_certbund

Published

2024-12-22 23:00

Modified

2025-01-19 23:00

Summary

Apache Tomcat: Schwachstelle ermöglicht Codeausführung

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tomcat ausnutzen, um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme

- Linux - NetApp Appliance - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Tomcat ist ein Web-Applikationsserver f\u00fcr verschiedene Plattformen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tomcat ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- NetApp Appliance\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3744 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3744.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3744 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3744"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2024-12-22",
        "url": "https://seclists.org/oss-sec/2024/q4/164"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla vom 2024-12-22",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333521"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-12-22",
        "url": "https://github.com/advisories/GHSA-27hp-xhwr-wr2m"
      },
      {
        "category": "external",
        "summary": "NetApp Security Advisory NTAP-20250103-0002 vom 2025-01-03",
        "url": "https://security.netapp.com/advisory/ntap-20250103-0002/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7180700 vom 2025-01-10",
        "url": "https://www.ibm.com/support/pages/node/7180700"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4017 vom 2025-01-17",
        "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5845 vom 2025-01-17",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00007.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Tomcat: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2025-01-19T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-20T09:18:26.739+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3744",
      "initial_release_date": "2024-12-22T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-22T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-12-23T23:00:00.000+00:00",
          "number": "2",
          "summary": "Anpassung der Produkt-Versionen"
        },
        {
          "date": "2025-01-02T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von NetApp aufgenommen"
        },
        {
          "date": "2025-01-12T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-01-16T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-01-19T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.0.2",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.2",
                  "product_id": "T039886"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.2",
                "product": {
                  "name": "Apache Tomcat 11.0.2",
                  "product_id": "T039886-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.34",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.34",
                  "product_id": "T039887"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.34",
                "product": {
                  "name": "Apache Tomcat 10.1.34",
                  "product_id": "T039887-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.34"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.98",
                "product": {
                  "name": "Apache Tomcat \u003c9.0.98",
                  "product_id": "T039888"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.98",
                "product": {
                  "name": "Apache Tomcat 9.0.98",
                  "product_id": "T039888-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:9.0.98"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM Integration Bus",
            "product": {
              "name": "IBM Integration Bus",
              "product_id": "T039654",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:integration_bus:for_zos"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for Linux",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for Linux",
                  "product_id": "T023548",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_linux"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for VMware vSphere",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for VMware vSphere",
                  "product_id": "T025152",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for Microsoft Windows",
                "product": {
                  "name": "NetApp ActiveIQ Unified Manager for Microsoft Windows",
                  "product_id": "T025631",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ActiveIQ Unified Manager"
          }
        ],
        "category": "vendor",
        "name": "NetApp"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-56337",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Apache Tomcat. Dieser Fehler existiert wegen einer Time-of-check Time-of-use (TOCTOU) Race Condition in der JSP-Kompilierung. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T023548",
          "T025152",
          "2951",
          "T025631",
          "T039887",
          "T039886",
          "T039888",
          "T039654"
        ]
      },
      "release_date": "2024-12-22T23:00:00.000+00:00",
      "title": "CVE-2024-56337"
    }
  ]
}

cve-2024-56337

Vulnerability from cvelistv5

Published

2024-12-20 15:28

Modified

2025-01-03 12:04

Severity ?

Summary

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

References

▼	URL	Tags
	https://www.cve.org/CVERecord?id=CVE-2024-50379	vdb-entry
	https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 11.0.0-M1 ≤ 11.0.1 Version: 10.1.0-M1 ≤ 10.1.33 Version: 9.0.0.M1 ≤ 9.0.97

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56337",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-31T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-01T04:56:29.394Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-03T12:04:31.817Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20250103-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.1",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.33",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.97",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability was first reported by Nacl, WHOAMI, Yemoli and Ruozhi."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability was independently reported with a very helpful PoC by dawu@knownsec 404 team and Sunflower@knownsec 404 team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTime-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\u003c/p\u003e\u003cp\u003eThe mitigation for CVE-2024-50379 was incomplete.\u003c/p\u003e\u003cp\u003eUsers running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation \nparameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:\u003cbr\u003e- running on Java 8 or Java 11: the system property\u0026nbsp;sun.io.useCanonCaches must be explicitly set to false (it defaults to true)\u003cbr\u003e- running on Java 17: the\u0026nbsp;system property sun.io.useCanonCaches, if set, must be set to false\u0026nbsp;(it defaults to false)\u003cbr\u003e- running on Java 21 onwards: no further configuration is required\u0026nbsp;(the system property and the problematic cache have been removed)\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eTomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that\u0026nbsp;sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set\u0026nbsp;sun.io.useCanonCaches to false by default where it can.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\n\nThe mitigation for CVE-2024-50379 was incomplete.\n\nUsers running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation \nparameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:\n- running on Java 8 or Java 11: the system property\u00a0sun.io.useCanonCaches must be explicitly set to false (it defaults to true)\n- running on Java 17: the\u00a0system property sun.io.useCanonCaches, if set, must be set to false\u00a0(it defaults to false)\n- running on Java 21 onwards: no further configuration is required\u00a0(the system property and the problematic cache have been removed)\n\nTomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that\u00a0sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set\u00a0sun.io.useCanonCaches to false by default where it can."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-20T15:28:54.738Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-56337",
    "datePublished": "2024-12-20T15:28:54.738Z",
    "dateReserved": "2024-12-20T11:16:29.949Z",
    "dateUpdated": "2025-01-03T12:04:31.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted