CVE-2024-56337
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in tomcat-catalina (Maven)
What is CVE-2024-56337 About?
This vulnerability is a Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat, representing an incomplete mitigation of a previous issue. It affects installations running on case-insensitive file systems with write-enabled default servlets, potentially allowing attackers to bypass security checks. Exploitation requires specific environmental configurations and synchronized timing, making it complex to achieve.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.2
- >10.1.0-M1, <10.1.34
- org.apache.tomcat:tomcat-embed-core
- >9.0.0.M1, <9.0.98
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.2
- >10.1.0-M1, <10.1.34
- >9.0.0.M1, <9.0.98
Technical Details
This TOCTOU race condition in Apache Tomcat arises from an incomplete mitigation of CVE-2024-50379. The vulnerability manifests when Tomcat runs on a case-insensitive file system and the default servlet has its readonly initialization parameter set to false, enabling write operations. The core issue is that a check performed by Tomcat to validate file access or properties happens at one point in time, but the actual use of the file (e.g., writing to it) occurs at a later point. During this window, an attacker can manipulate the file system state by changing file properties, renaming files, or creating symbolic links to bypass the security checks that were initially performed, leading to unauthorized file access or manipulation. The effectiveness of the mitigation is also dependent on the Java version, specifically regarding the sun.io.useCanonCaches system property, which affects how file paths are canonicalized and cached.
What is the Impact of CVE-2024-56337?
Successful exploitation may allow attackers to achieve unauthorized file access, modify system configurations, or execute arbitrary code by manipulating file system operations through race conditions, leading to data corruption or system compromise.
What is the Exploitability of CVE-2024-56337?
Exploitation of this TOCTOU race condition is highly complex, requiring precise timing and specific environmental prerequisites. It necessitates that Tomcat is running on a case-insensitive file system and that the default servlet has write capabilities enabled (readonly=false). While no authentication is explicitly required for the race condition itself, an attacker would need some level of access to trigger file system operations that can be interleaved with Tomcat's checks. The attack can be launched remotely if write access to the default servlet is exposed. The exploitability is further complicated by the dependency on the Java version and the sun.io.useCanonCaches system property, which dictates how the issue is mitigated. A critical risk factor is a system configuration that enables write-access to the default servlet on a case-insensitive file system without proper sun.io.useCanonCaches settings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-56337?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.98 → Upgrade to 9.0.98
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.34 → Upgrade to 10.1.34
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.2 → Upgrade to 11.0.2
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.34 → Upgrade to 10.1.34
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.2 → Upgrade to 11.0.2
- org.apache.tomcat:tomcat-embed-core
- >9.0.0.M1, <9.0.98 → Upgrade to 9.0.98
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://nvd.nist.gov/vuln/detail/CVE-2024-56337
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
- https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
- https://osv.dev/vulnerability/GHSA-27hp-xhwr-wr2m
- https://security.netapp.com/advisory/ntap-20250103-0002
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
- https://www.cve.org/CVERecord?id=CVE-2024-50379
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
- https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
What are Similar Vulnerabilities to CVE-2024-56337?
Similar Vulnerabilities: CVE-2021-41079 , CVE-2020-1934 , CVE-2019-0232 , CVE-2018-8037 , CVE-2017-12616
