CVE-2024-50379
Race Condition vulnerability in tomcat-embed-core (Maven)
What is CVE-2024-50379 About?
A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat during JSP compilation permits Remote Code Execution (RCE). This flaw occurs on case-insensitive file systems when the default servlet allows write access. Exploitation is highly dependent on specific server configuration and environmental factors.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.34
- >11.0.0-M1, <11.0.2
- >9.0.0.M1, <9.0.98
- >8.5.0, <=8.5.100
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.34
- >11.0.0-M1, <11.0.2
- >9.0.0.M1, <9.0.98
- >8.5.0, <=8.5.100
Technical Details
This TOCTOU race condition vulnerability exists in Apache Tomcat (versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97) during the JSP compilation process. On case-insensitive file systems, when the default servlet is configured for write access (a non-default setting), an attacker can exploit a timing window. The vulnerability arises because the server first checks a file/resource's validity or safety (time of check) and then later operates on it (time of use), during which an attacker can swap or modify the resource. Specifically, an attacker could upload a harmless JSP file, and during the compilation phase, when Tomcat writes intermediate files or checks the JSP, the attacker could swiftly replace the harmless content with malicious code. The case-insensitivity of the file system might aid in this, potentially allowing for subtle name manipulations or collisions that bypass checks, leading to the execution of the attacker's code during the compilation or subsequent serving of the JSP.
What is the Impact of CVE-2024-50379?
Successful exploitation may allow attackers to execute arbitrary code on the server with the privileges of the Tomcat process, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2024-50379?
Exploitation of this TOCTOU race condition is complex, requiring precise timing and specific environmental conditions. It demands that the attacker can interact with file write operations and exploit a small window between a check and its use. Authentication is typically required to upload a JSP, but guest access with write permissions could suffice. No specific privilege escalation beyond file write access is needed. This is generally a remote attack, although an attacker might need persistent access to interact with the file system quickly enough. The critical prerequisites are a case-insensitive file system and the default servlet being enabled for write access (a non-default and generally insecure configuration). The existence of a proof of concept indicates feasibility, but the precise timing and required server configuration make it challenging to execute reliably in diverse environments. Factors like high server load, which can lengthen the time window, could increase exploitability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| SleepingBag945 | Link | tomcat CVE-2024-50379/CVE-2024-56337 条件竞争文件上传exp |
| ph0ebus | Link | RCE through a race condition in Apache Tomcat |
| iSee857 | Link | Apache Tomcat(CVE-2024-50379)条件竞争致远程代码执行漏洞批量检测脚本 |
What are the Available Fixes for CVE-2024-50379?
About the Fix from Resolved Security
The patch introduces resource-level locking for file operations in the affected Tomcat classes, preventing concurrent reads and writes to the same path. This mitigates race conditions that previously allowed operations like GET, PUT, and DELETE to corrupt internal file resource state, thus fixing the vulnerability described in CVE-2024-50379. By ensuring that only one operation can access a file resource for reading or writing at a time, the patch eliminates the potential for resource state inconsistency and related exploitation.
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.98 → Upgrade to 9.0.98
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.34 → Upgrade to 10.1.34
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.2 → Upgrade to 11.0.2
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.98 → Upgrade to 9.0.98
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.34 → Upgrade to 10.1.34
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.2 → Upgrade to 11.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/12/18/2
- https://security.netapp.com/advisory/ntap-20250103-0003
- https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
- https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
- https://osv.dev/vulnerability/GHSA-5j33-cvvr-w245
- https://nvd.nist.gov/vuln/detail/CVE-2024-50379
- https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00
- https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f
- https://security.netapp.com/advisory/ntap-20250103-0003/
What are Similar Vulnerabilities to CVE-2024-50379?
Similar Vulnerabilities: CVE-2020-13935 , CVE-2020-1938 , CVE-2019-0232 , CVE-2018-11776 , CVE-2017-5647
