Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Time-of-check Time-of-use (TOCTOU) Race Condition SNYK-JAVA-ORGAPACHETOMCATEMBED-8547999 #517

Open
github-actions bot opened this issue Dec 23, 2024 · 0 comments
Open

Time-of-check Time-of-use (TOCTOU) Race Condition SNYK-JAVA-ORGAPACHETOMCATEMBED-8547999 #517

github-actions bot opened this issue Dec 23, 2024 · 0 comments
Labels
critical Snyk

Comments

@github-actions
Copy link

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

  1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

  2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

  3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
critical Snyk
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants