EUVD-2024-3542

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

CVE-2024-56337

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-3542

1. Vulnerability Assessment and Severity Evaluation

The EUVD-2024-3542 entry describes a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This type of vulnerability occurs when the state of a system changes between the time it is checked and the time it is used, leading to potential security issues. The vulnerability affects multiple versions of Apache Tomcat and has a high base score of 9.8 according to the CVSS v3.1 scoring system. This score indicates a critical severity due to the following factors:

Attack Vector (AV:N): The vulnerability can be exploited over the network.
Attack Complexity (AC:L): The attack requires low complexity.
Privileges Required (PR:N): No privileges are required to exploit the vulnerability.
User Interaction (UI:N): No user interaction is required.
Scope (S:U): The vulnerability does not change the security scope.
Confidentiality (C:H): High impact on confidentiality.
Integrity (I:H): High impact on integrity.
Availability (A:H): High impact on availability.

2. Potential Attack Vectors and Exploitation Methods

The TOCTOU vulnerability can be exploited by an attacker who can manipulate the state of the system between the time a check is performed and the time the system uses the checked state. Specifically, in the context of Apache Tomcat, this could involve:

File System Manipulation: An attacker could manipulate files on a case-insensitive file system to bypass security checks.
Servlet Manipulation: An attacker could exploit the default servlet write functionality to inject malicious code or manipulate data.

3. Affected Systems and Software Versions

The vulnerability affects the following versions of Apache Tomcat:

Apache Tomcat 11.0.0-M1 through 11.0.1
Apache Tomcat 10.1.0-M1 through 10.1.33
Apache Tomcat 9.0.0.M1 through 9.0.97

4. Recommended Mitigation Strategies

To mitigate this vulnerability, the following steps are recommended:

Update Apache Tomcat: Upgrade to the latest versions of Apache Tomcat that include the necessary fixes:
- Apache Tomcat 11.0.3 or later
- Apache Tomcat 10.1.35 or later
- Apache Tomcat 9.0.99 or later
Configure Java System Properties: Depending on the version of Java being used, configure the sun.io.useCanonCaches system property:
- Java 8 or Java 11: Set sun.io.useCanonCaches to false.
- Java 17: Ensure sun.io.useCanonCaches is set to false if it is set at all.
- Java 21 onwards: No additional configuration is required as the problematic cache has been removed.
Disable Default Servlet Write: If possible, disable the default servlet write functionality by setting the readonly initialization parameter to true.

5. Impact on European Cybersecurity Landscape

The vulnerability poses a significant risk to organizations using Apache Tomcat within the European Union. Given the widespread use of Apache Tomcat in web applications, the potential impact includes:

Data Breaches: Unauthorized access to sensitive data.
Service Disruption: Potential denial-of-service attacks.
Compliance Issues: Non-compliance with data protection regulations such as GDPR.

6. Technical Details for Security Professionals

Vulnerability Identification: The vulnerability is identified by CVE-2024-56337 and GHSA-27hp-xhwr-wr2m.
References:
EPSS Score: The Exploit Prediction Scoring System (EPSS) score is 4, indicating a moderate likelihood of exploitation.
ENISA IDs:
- Product: Apache Tomcat versions 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, and 11.0.0-M1 through 11.0.1.
- Vendor: Apache Software Foundation.

Conclusion

The TOCTOU Race Condition vulnerability in Apache Tomcat is a critical issue that requires immediate attention. Organizations should prioritize updating their Apache Tomcat installations and configuring the necessary Java system properties to mitigate the risk. The potential impact on the European cybersecurity landscape underscores the importance of prompt action to protect sensitive data and ensure compliance with regulatory requirements.

Description

CVE-2024-56337

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-3542

1. Vulnerability Assessment and Severity Evaluation

Attack Vector (AV:N): The vulnerability can be exploited over the network.
Attack Complexity (AC:L): The attack requires low complexity.
Privileges Required (PR:N): No privileges are required to exploit the vulnerability.
User Interaction (UI:N): No user interaction is required.
Scope (S:U): The vulnerability does not change the security scope.
Confidentiality (C:H): High impact on confidentiality.
Integrity (I:H): High impact on integrity.
Availability (A:H): High impact on availability.

2. Potential Attack Vectors and Exploitation Methods

File System Manipulation: An attacker could manipulate files on a case-insensitive file system to bypass security checks.
Servlet Manipulation: An attacker could exploit the default servlet write functionality to inject malicious code or manipulate data.

3. Affected Systems and Software Versions

The vulnerability affects the following versions of Apache Tomcat:

Apache Tomcat 11.0.0-M1 through 11.0.1
Apache Tomcat 10.1.0-M1 through 10.1.33
Apache Tomcat 9.0.0.M1 through 9.0.97

4. Recommended Mitigation Strategies

To mitigate this vulnerability, the following steps are recommended:

Update Apache Tomcat: Upgrade to the latest versions of Apache Tomcat that include the necessary fixes:
- Apache Tomcat 11.0.3 or later
- Apache Tomcat 10.1.35 or later
- Apache Tomcat 9.0.99 or later
Configure Java System Properties: Depending on the version of Java being used, configure the sun.io.useCanonCaches system property:
- Java 8 or Java 11: Set sun.io.useCanonCaches to false.
- Java 17: Ensure sun.io.useCanonCaches is set to false if it is set at all.
- Java 21 onwards: No additional configuration is required as the problematic cache has been removed.
Disable Default Servlet Write: If possible, disable the default servlet write functionality by setting the readonly initialization parameter to true.

5. Impact on European Cybersecurity Landscape

Data Breaches: Unauthorized access to sensitive data.
Service Disruption: Potential denial-of-service attacks.
Compliance Issues: Non-compliance with data protection regulations such as GDPR.

6. Technical Details for Security Professionals

Vulnerability Identification: The vulnerability is identified by CVE-2024-56337 and GHSA-27hp-xhwr-wr2m.
References:
EPSS Score: The Exploit Prediction Scoring System (EPSS) score is 4, indicating a moderate likelihood of exploitation.
ENISA IDs:
- Product: Apache Tomcat versions 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, and 11.0.0-M1 through 11.0.1.
- Vendor: Apache Software Foundation.

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-3542

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Conclusion

References

Affected Products

Vendors

EUVD-2024-3542

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-3542

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Conclusion

References

Affected Products

Vendors