CVE-2021-24122
JSP source code disclosure vulnerability in tomcat-embed-core (Maven)
What is CVE-2021-24122 About?
This vulnerability in Apache Tomcat can lead to the disclosure of JSP source code when serving resources from network locations on NTFS file systems. The root cause is inconsistent behavior in the JRE's `File.getCanonicalPath()` and Windows' `FindFirstFileW` API. This can expose sensitive application logic, and exploitation is primarily due to specific system configurations.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.60
- >7.0.0, <7.0.107
- >9.0.0, <9.0.40
- >10.0.0-M1, <10.0.0-M10
Technical Details
The vulnerability affects Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59, and 7.0.0 to 7.0.106 when configured to serve resources from a network location using the NTFS file system. The core issue lies in unexpected behavior of the JRE's File.getCanonicalPath() API, which itself is caused by inconsistent behavior of the Windows API function FindFirstFileW under specific circumstances. When a request is made for a JSP file, Tomcat attempts to resolve its canonical path. Due to the described inconsistencies, File.getCanonicalPath() might return an unexpected or non-canonical path representation. This misrepresentation could lead Tomcat to bypass its usual servlet mapping for JSP files, which typically routes them through the JSP compiler to serve compiled output. Instead, it might treat the JSP file as a static resource, directly serving its raw source code to the client. This typically occurs because the path canonicalization fails, preventing correct identification of the resource as a JSP that needs compilation, thus serving the uncompiled source instead.
What is the Impact of CVE-2021-24122?
Successful exploitation may allow attackers to obtain sensitive JSP source code, potentially revealing proprietary application logic, configuration details, or credentials embedded within the code.
What is the Exploitability of CVE-2021-24122?
Exploitation of this vulnerability requires remote access to a vulnerable Apache Tomcat server. No authentication is necessary, as the flaw affects how static resources are served. The complexity of exploitation is moderate, hinging on the specific configuration of the Tomcat server (serving resources from a network location on NTFS) and the attacker's ability to craft requests that trigger the path canonicalization inconsistency. No special privileges are needed on the Tomcat server itself. The primary constraint is the specific host configuration, as not all deployments will serve resources from network NTFS shares. The risk is increased in environments where attackers can infer or discover that such specific configurations are in place.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-24122?
About the Fix from Resolved Security
This patch ensures that the canonical path of a file matches its absolute path before allowing access; if they differ (such as when symlinks are involved), access is denied and a warning or error is logged. This fix for CVE-2021-24122 prevents attackers from bypassing security restrictions (like access to /WEB-INF/ or /META-INF/) using symlink traversal to access protected files.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.107 → Upgrade to 7.0.107
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.60 → Upgrade to 8.5.60
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.40 → Upgrade to 9.0.40
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0-M1, <10.0.0-M10 → Upgrade to 10.0.0-M10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20%40%3Cdev.tomcat.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/01/14/1
- https://tomcat.apache.org/security-8.html
- https://osv.dev/vulnerability/GHSA-2rvv-w9r2-rg7m
- https://nvd.nist.gov/vuln/detail/CVE-2021-24122
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710%40%3Cdev.tomee.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
- https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-24122?
Similar Vulnerabilities: CVE-2014-0096 , CVE-2014-0075 , CVE-2012-0050 , CVE-2011-3964 , CVE-2008-2370
