ISGroup CyberSecurity Consulting

Race condition with path traversal in Apache Tomcat (CVE-2024-50379)

ISGroup Cybersecurity

Apache Tomcat, in versions from 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2, presents a critical vulnerability that allows for remote code execution due to a race condition. With over 130,000 instances exposed online, this vulnerability represents a significant risk for organizations globally.

ProductApache Tomcat
Date2024-12-24 13:35:38
Information
  • Trending
  • Fix Available

Technical Summary

The vulnerability stems from a race condition in file upload handling and case-insensitive path processing in Apache Tomcat. An attacker can exploit this by:

  1. Sending simultaneous PUT requests with non-standard file extensions (e.g., .Jsp instead of .jsp)
  2. Simultaneously performing GET requests to the same path with standard extensions
  3. Leveraging the case-insensitivity of the server’s file system to execute malicious code

This vulnerability is particularly dangerous because:

  • It affects multiple major versions of Tomcat
  • It can lead to remote code execution
  • It is present in default configurations
  • A significant number of vulnerable instances are still exposed

Impact

Successful exploitation could allow attackers to:

  • Execute arbitrary code on the target system
  • Gain unauthorized access to sensitive data
  • Establish persistent access to the system
  • Move laterally to other systems on the network
  • Compromise the integrity of web applications

Recommendations

  1. Immediate actions:

    • Update Apache Tomcat to the following versions or later:
      • 9.0.98 for Tomcat 9.x
      • 10.1.34 for Tomcat 10.x
      • 11.0.2 for Tomcat 11.x

  2. Configuration hardening:

    • Implement strict restrictions for file uploads
    • Configure proper handling of file extensions
    • Enable readonly mode for the default servlet where possible
    • Review and restrict HTTP PUT/DELETE methods if not necessary

  3. Additional security measures:

    • Apply Web Application Firewall (WAF) rules to detect and block exploit attempts
    • Monitor for suspicious patterns in file uploads and concurrent requests
    • Consider implementing network segmentation to limit exposure

[Callforaction-THREAT-Footer]

In