CVE-2024-56337: Critical Apache Tomcat Remote Code Execution Vulnerability

CVE ID: CVE-2024-56337
CVSS Score: 9.8 (Critical)
Published: December 20, 2024

---

Summary of Key Findings

CVE-2024-56337 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat that enables Remote Code Execution (RCE) under specific configurations. Exploitation requires Tomcat to run on a case-insensitive file system with write-enabled default servlet. This flaw stems from an incomplete mitigation for CVE-2024-50379 and is actively exploited in the wild. Affected versions span major branches (9.0.0–9.0.97, 10.1.0–10.1.33, 11.0.0–11.0.1), with patches available in 9.0.99, 10.1.35, and 11.0.3. Mitigation depends on the Java version, requiring configuration of sun.io.useCanonCaches for Java 8/11, while newer versions (Java 21+) include built-in fixes. Enterprises using Tomcat in critical infrastructure or CI/CD pipelines face heightened risks, necessitating urgent patching and configuration auditing.

---

1. Threat Intelligence: Active Exploitation and Campaigns

CVE-2024-56337 is actively exploited in the wild, with public proof-of-concept (PoC) code available on GitHub. While not explicitly linked to specific threat actor groups, its low complexity (CVSS 9.8/10) and RCE capability make it highly attractive for attackers targeting Java-based web applications.

Key Threat Indicators

1. Attack Vector: Network-based exploitation without authentication or user interaction.
2. Impact: Full system compromise via execute arbitrary code.
3. Exposure Scope: Critical infrastructure, healthcare, education, and enterprise applications using Tomcat on Windows, macOS, or network file systems.

Observed Patterns

Attackers leverage concurrent file reads and uploads to bypass Tomcat’s case-sensitivity checks. For example:

1. File Upload: An attacker uploads a non-JSP file (e.g., .txt).
2. Race Condition Exploitation: While Tomcat reads the file, the attacker renames it to .jsp on a case-insensitive system.
3. RCE Execution: Tomcat processes the renamed file as executable JSP code, enabling arbitrary commands.

Public GitHub repositories host PoC exploit scripts, emphasizing the need for immediate patching and configuration hardening.

---

2. Technical Analysis: Root Cause and Exploitation

Root Cause

CVE-2024-56337 exploits a TOCTOU race condition during JSP compilation. The flaw arises when Tomcat performs a case-sensitive check on a file’s name but later processes it on a case-insensitive system, allowing attackers to manipulate filenames post-check. This vulnerability is a regression from CVE-2024-50379, where incomplete mitigations left configuration gaps.

Exploitation Requirements

| Prerequisite | Description |
|———————————-|—————————————————————————–|
| Case-insensitive filesystem | Required to bypass Tomcat’s case-sensitivity checks (e.g., Windows, APFS) |
| Write-enabled default servlet| Tomcat’s DefaultServlet must have readonly="false".
| Concurrent operations | Simultaneous read/upload of a file under network load.

Proof-of-Concept Mechanics

Exploits involve:

1. File Upload: Using curl or custom scripts to upload a file (e.g., flag.txt).
2. Race Window: Renaming flag.txt to FLAG.JSP immediately after upload.
3. JSP Execution: Tomcat processes FLAG.JSP as an executable JSP file, triggering RCE.

PoC code often mimics legitimate file operations to evade detection, making behavioral monitoring critical.

---

3. Vendor Response and Patch Guidance

Apache released security updates in December 2024, addressing both CVE-2024-50379 and CVE-2024-56337. Updates include configuration checks and forced settings for sun.io.useCanonCaches.

Critical Mitigation Steps

| Java Version | Required Action | Tomcat Version |
|————–|———————————————–|———————-|
| Java 8/11 | Set -Dsun.io.useCanonCaches=false. | 9.0.99, 10.1.35, 11.0.3 |
| Java 17 | Verify sun.io.useCanonCaches is not set. | 9.0.99, 10.1.35, 11.0.3 |
| Java 21+ | No action required (property removed). | 9.0.99, 10.1.35, 11.0.3 |

Enterprise Best Practices:

1. Patch Immediately: Upgrade Tomcat to 9.0.99, 10.1.35, or 11.0.3.
2. Configure sun.io.useCanonCaches:

“bash
# Example for Java 8/11 (Windows)
set CATALINA_OPTS="-Dsun.io.useCanonCaches=false"
`
Replace CATALINA_OPTS in Tomcat’s startup scripts.

---

4. Real-World Impact and Affected Systems

High-Risk Environments

1. Enterprise Web Servers: Running Tomcat on Windows (common in hybrid clouds).
2. CI/CD Pipelines: Applications using Tomcat-embedded libraries (e.g., Spring Boot).
3. IoT/API Gateways: Systems with exposed Tomcat instances on network file systems.

Documented Incidents

1. IBM Integration Bus for z/OS: Required urgent patching for Tomcat component vulnerabilities.
2. Sage CRM 2024 R2: Forced users to manually update catalina.bat for Java 8 compliance.
3. Healthcare Systems: Vulnerable to data breaches via improper file access controls.

---

5. Detection and Monitoring Strategies

Log Indicators

1. File Access Patterns: Multiple rapid read operations followed by write attempts.
2. JSP Execution: Logs showing unexpected JSP file execution paths (e.g., /WEB-INF/+VALIDATING-FILE.JSP).

SIEM Queries

`sql
SELECT * FROM webapp_logs WHERE http_status = 200 AND file_extension NOT IN ('jsp') ORDER BY timestamp DESC
`
Filters for non-JSP files served as static content following rapid writes.

YARA Rules

`yara
rule tomcat_rce_exploit : "Apache Tomcat File Race Condition"
{
strings:
$1 = "FLAG.JSP"
$2 = "content Upload"
condition: all of them
}
`
Identifies malicious upload attempts.

---

6. Advanced Mitigation and Hardening

Network Segmentation

1. Isolate Tomcat Servers: Restrict external access to Minimum required ports/services.
2. Firewall Rules: Block uploads for untrusted origins; permit only whitelisted MIME types.

Configuration Hardening

1. Disable Write Access on DefaultServlet:

Edit web.xml:
`xml

default
org.apache.catalina.servlets.DefaultServlet


readonly true



`

1. Enforce Case Sensitivity: Use case-sensitive filesystems (e.g., Linux Ext4, ZFS).

Runtime Protection Tools

1. Web Application Firewalls (WAFs): Block requests attempting to rename files.
2. RASP Solutions: Tools like Waratek enforce path validation at runtime, neutralizing TOCTOU.

---

7. Supply Chain and Dependency Risks

Affected Libraries

| Dependency | Vulnerable Versions | Patches Available |
|-------------------------|---------------------|-------------------|
| tomcat-embed-core | < 9.0.98 | 9.0.99 | | spring-boot-starter-web| Includes vulnerable Tomcat versions | Upgrade to Spring Boot 3.3.5+ |

CI/CD Pipeline Recommendations

1. Dependency Scanning: Use tools like Mend SCA to detect embedded Tomcat versions.
2. Build Artifact Audits: Enforce SBOM (Software Bill of Materials) for transparency.
3. Pipeline Isolation: Restrict network access for Tomcat-based build agents.

---

8. Related Vulnerabilities and Attack Campaigns

CVE-2024-50379

1. Root Cause: Subset of TOCTOU mismatches similar to CVE-2024-56337, but with weaker mitigation.
2. status_POOL Propagation: Exploits combined with vulnerabilities in Webmin (CVE-2024-12828) for lateral movement.

Phishing-Adjacent Threats

Access brokering campaigns, like Storm-2372’s Microsoft 365 token theft, may leverage stolen credentials to target Tomcat servers.

---

9. Conclusion and Recommendations

Critical Actions

1. Patch Immediately: Upgrade Tomcat to 9.0.99, 10.1.35, or 11.0.3.
2. Audit Configurations: Verify sun.io.useCanonCaches` settings and disable write access on DefaultServlet.
3. Continuous Monitoring: Deploy SIEM rules and WAFs to detect exploit attempts.

Long-Term Measures

1. Migrate to Case-Sensitive Filesystems: Eliminate TOCTOU attack surfaces.
2. Adopt Least Privilege: Restrict Tomcat processes to read-only access where possible.

Updating provided, CVE-2024-56337 remains one of the most critical web server vulnerabilities in 2024, demanding urgent remediation across industries.

---
Research sources: [1][2][4][5][7][8][9][10][11][13][15][16][17]