You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.
This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.
Note:
The default readonly initialization parameter value of true is not vulnerable.
This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;
In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :
running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults
to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Remediation
Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.
Overview
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.
This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.
Note:
The default
readonlyinitialization parameter value oftrueis not vulnerable.This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;
In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :
running on Java 8 or Java 11: the system property
sun.io.useCanonCachesmust be explicitly set to false (it defaultsto true)
running on Java 17: the system property
sun.io.useCanonCaches, if set, must be set to false (it defaults to false)running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Remediation
Upgrade
org.apache.tomcat.embed:tomcat-embed-coreto version 9.0.98, 10.1.34, 11.0.2 or higher.References
The text was updated successfully, but these errors were encountered: