BIT-tomcat-2024-21733
Generation of Error Message Containing Sensitive Information vulnerability in tomcat-embed-core (Maven)
What is BIT-tomcat-2024-21733 About?
This vulnerability in Apache Tomcat involves the generation of error messages that contain sensitive information. When exploited, it can lead to information disclosure, allowing attackers to gather data that could aid further attacks. Exploitation is relatively easy once an error condition is triggered.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >9.0.0-M11, <9.0.44
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.7, <8.5.64
Technical Details
The vulnerability arises when Apache Tomcat, specifically versions 8.5.7 through 8.5.63 and 9.0.0-M11 through 9.0.43, generates error messages that inadvertently include sensitive data. This can occur under various error conditions where detailed internal information, such as file paths, stack traces, or configuration details, are exposed within the error output. An attacker could intentionally trigger error states or observe system behavior under unusual circumstances to obtain this sensitive information from the publicly exposed error messages. This information can then be leveraged for reconnaissance, to understand system architecture, or to find other potential weaknesses.
What is the Impact of BIT-tomcat-2024-21733?
Successful exploitation may allow attackers to gain unauthorized access to sensitive system information, facilitating further attacks or compromising confidentiality.
What is the Exploitability of BIT-tomcat-2024-21733?
Exploitation complexity is considered low. There are no specific authentication or privilege requirements; any user capable of interacting with the Apache Tomcat instance and triggering error conditions can exploit this. It is primarily a remote vulnerability. The key condition is the occurrence of an error that causes the application to generate an informative error message. Attackers could intentionally send malformed requests or access non-existent resources to trigger such errors and observe the resulting sensitive information.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| LtmThink | Link | 一个验证对CVE-2024-21733 |
What are the Available Fixes for BIT-tomcat-2024-21733?
About the Fix from Resolved Security
The patch ensures that the buffer's limit and position are correctly reset if an exception occurs during request body processing, guaranteeing consistent buffer state and reliable error signaling. This change fixes CVE-2024-21733 by ensuring that the ReadListener's onError() is triggered when a client closes the connection prematurely while using non-blocking I/O, preventing scenarios where the server would otherwise hang or not handle the error correctly.
Available Upgrade Options
- org.apache.tomcat:tomcat-coyote
- >9.0.0-M11, <9.0.44 → Upgrade to 9.0.44
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.7, <8.5.64 → Upgrade to 8.5.64
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
- https://nvd.nist.gov/vuln/detail/CVE-2024-21733
- https://security.netapp.com/advisory/ntap-20240216-0005
- https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
- http://www.openwall.com/lists/oss-security/2024/01/19/2
- https://tomcat.apache.org/security-9.html
- https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
- https://security.netapp.com/advisory/ntap-20240216-0005/
- https://tomcat.apache.org/security-8.html
What are Similar Vulnerabilities to BIT-tomcat-2024-21733?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2019-17558 , CVE-2018-1336 , CVE-2017-7661 , CVE-2016-8745
