REQUEST A DEMO
CVE-2024-5458: PHP URL Filter Bypass Vulnerability Analysis
July 25, 2025
CVE-2024-47951: JetBrains TeamCity Stored XSS Vulnerability Analysis
July 25, 2025

CVE-2024-50379: Critical RCE Vulnerability in Apache Tomcat

by CyRisk

    Comprehensive Research Report: CVE-2024-50379 (Apache Tomcat TOCTOU RCE)

    CVE-2024-50379 is a critical remote code execution (RCE) vulnerability caused by a Time-of-check Time-of-use (TOCTOU) race condition in Apache Tomcat. This flaw enables attackers to exploit case-insensitive file systems when the default servlet is misconfigured to allow writes, leading to arbitrary code execution. With a CVSS score of 9.8, this vulnerability represents a severe risk to organizations relying on Tomcat for Java-based web applications.

    Threat Intelligence & Active Exploitation

    As of July 2025, CVE-2024-50379 has attracted significant attention from the security community, though confirmed in-the-wild (ITW) exploitation remains limited. Proof-of-concept (PoC) exploits are publicly available on GitHub and other repositories, demonstrating techniques to overwrite JSP files and execute arbitrary commands.

    Key Threat Indicators

    Indicator Type Details Source
    ———————- ————- ————
    Malicious IPs 45.136.198.18, 88.198.101.58 SOCRadar
    Hostnames enrollmentdm.com, internalsecurity.us SOCRadar
    Exploit Repos v3153/CVE-2024-50379-POC, ph0ebus/Tomcat-CVE-2024-50379-Poc GitHub

    While no major threat actor campaigns are officially linked to this CVE, the presence of exploit code in public repositories increases the likelihood of opportunistic attacks. Organizations with Tomcat servers on Windows or other case-insensitive systems are particularly vulnerable.

    Technical Deep Dive: Root Cause & Exploitation

    Root Cause

    CVE-2024-50379 arises from a race condition during JavaServer Pages (JSP) compilation. When the default servlet (serve servlet) is configured for write access (non-default), Apache Tomcat checks for file existence in one thread and uses the result in another thread. On case-insensitive systems, attackers can upload a file with a different case (e.g., FILE.JSP vs. file.jsp) to overwrite existing files. This triggers compilation and execution of malicious JSP code.

    Attack Prerequisites

    1. Case-insensitive file system: Windows, macOS, or properly configured UNIX filesystems.
    2. Default servlet write enabled: readonly="false" in web.xml.
    3. Support for PUT/PATCH requests: Enabled by default in Tomcat.

    Step-by-Step Exploitation

    1. Upload benign file: Attacker uploads file.jsp (e.g., via upload.jsp).
    2. Race condition trigger: Simultaneously upload/partial-PATCH FILE.JSP, leveraging Tomcat’s case insensitivity.
    3. JSP compilation: Tomcat compiles and executes FILE.JSP as it assumes no overwrite occurred.
    # Example PoC snippet to upload a malicious JSP shell
import requests

    

    
url = "http://vulnerable-server:8080/upload.jsp"
headers = {"Content-Type": "multipart/form-data"}
data = {
"file": ("shell.jsp", b"<%@ page contentType=\"text/html;charset=UTF-8\" language=\"java\"recipes.shop(System.getRuntime().exec(request.getParameter(\"cmd\"))); %>"),
"name": "shell"
}

    
requests.post(url, headers=headers, files=data)

    Attack Limitations

    1. Configuration-dependent: Exploitation requires non-default write access for the default servlet.
    2. Nonce timing: Requires precise synchronization between file upload and compilation triggers.

    Vendor Response & Patching Strategy

    Apache Tomcat Security Updates

    Tomcat versions 11.0.2, 10.1.34, and 9.0.98 address the flaw. Subsequent updates (e.g., 11.0.3) include additional checks for case-insensitive systems and JVM configuration.

    Required Configuration Adjustments

    Java Version Action
    ————————- —————————————-
    Java 8/11 Set -Dsun.io.useCanonCaches=false
    Java 17 Ensure sun.io.useCanonCaches is unset
    Java 21+ No action needed

    These JVM parameters prevent case normalization, mitigating the race condition on newer Java versions.

    Vendor Industry Actions

    1. VMware: Patches for vCenter 8.x via VMware Security Advisory.
    2. NetApp: Advisories for affected products, recommending upgrades to Tomcat 9.0.98+.
    3. Dell: NetWorker 19.11.0.3 fixes scheduled for June 2025.

    Real-World Impact & Case Studies

    Potential Attack Scenarios

    1. Data Breaches: Unrestricted RCE allows attackers to extract sensitive data or deploy reverse shells.
    2. Malware Deployment: Dropping ransomware (e.g., Sodinokibi) or credential stealers.
    3. Lateral Movement: Compromised Tomcat servers become pivot points for internal network attacks.

    Case Example: Compromised CI/CD Pipelines

    If a Tomcat server hosts build artifacts, attackers could inject malicious code into deployment packages. This aligns with supply chain attack patterns, though CVE-2024-50379 itself is not a supply chain vulnerability per se.

    Detection & Monitoring Strategies

    Network Indicators

    Signature Detection Method
    ————————– ——————————-
    Multiple PUT/PATCH IDS/IPS rules for HTTP 204
    Malicious JSP Uploads WAFP rules for .jsp uploads
    Command Execution Network monitoring for cmd= parameters

    Log Analysis & SIEM Queries

    SELECT * FROM tomcat_access_log

    
WHERE request_method IN ('PUT', 'PATCH')
AND requested_uri LIKE '%%.jsp%'

    
AND status = '200'

    Sample SIEM query to detect high-risk file uploads.

    Behavioral Blacklist

    rule tomcat_jsp_injection {

    
meta:
description = "JSP File Overwrite Attempt"
threat_level = 3
strings:
$jsp_upload = "multipart/form-data.*jsp"
$evil = "cmd=< exaggerated(javascript)code>"
condition: $jsp_upload and $evil

    
}

    Advanced Mitigation & Hardening

    Beyond Patching

    1. Disable Dangerous Features:
      1. Remove default from web.xml if unused.
      2. Set readonly="true" for the default servlet.
      3. Restrict File uploads:
      4. Enforce file type whitelisting (e.g., allow only txt, pdf).
      5. Implement strict quotas for uploaded content.

      Java & Tomcat Configuration

      # For Java 8/11: disable case normalization

      
export JAVA_OPTS="-Dsun.io.useCanonCaches=false"

      
# Apache Tomcat JVM startup parameters
      Tomcat Setting Recommended Value Location
      ————————– ———————— ———————
      readonly parameter true conf/web.xml
      server variable Use IP/name conf/server.xml

      Related Vulnerabilities & Attack Patterns

      Interrelated CVEs

      CVE Relationship CVSS
      ————— ——————————— ———-
      CVE-2024-56337 Incomplete mitigation for -50379 9.8

      Attack Pattern Comparison

      Vulnerability Attack Vector Severity
      ———————— —————————- ————–
      CVE-2024-50379 RCE via JSP overwrite CRITICAL
      CVE-2023-32048 Apache CXF OAuth2 flaw HIGH

      Conclusion & Recommendations

      Immediate Action

      1. Patch Tomcat to 9.0.98+, 10.1.34+, or 11.0.2+.
      2. Audit web.xml for readonly="false" settings.
      3. Monitor for suspicious JSP file uploads and behavioral anomalies.

      Strategic Improvements

    1. Implement web application firewalls (WAFs) to restrict file uploads.
    2. Regularly test for misconfigurations using OWASP ZAP or PTA toolkit.
    3. Enforce segregation of duties in CI/CD pipelines to limit attack surface.

    CVE-2024-50379 underscores the importance of proactive vulnerability management, particularly for software serving public-facing applications. Organizations leveraging Tomcat must prioritize patching, configure stringent security policies, and adopt layered defense strategies to mitigate critical RCE risks.

    Leave a Reply

    General Instructions for Upgrading an Apache HTTP Server to the Latest Version

    November 26, 2024 by Kevin Lackey

    Mitigation Instructions for CVE-2020-15778

    November 26, 2024 by Kevin Lackey

      Mitigation Instructions for CVE-2014-4078

      November 26, 2024 by Kevin Lackey

      Discover more from CyRisk

      Subscribe now to keep reading and get access to the full archive.

      Continue reading