- 341/2024
- Critical
Apache has released security updates to address two vulnerabilities affecting multiple versions of Apache Tomcat.
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks or execute arbitrary code, and gain access to the affected systems.
The addressed vulnerabilities:
1. Apache Tomcat Code Execution Vulnerability (CVE-2024-50379):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Apache Tomcat Denial of Service Vulnerability (CVE-2024-54677):
- CVSS: 5.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
The affected products:
- Apache Tomcat 11.0.0-M1 to 11.0.1
- Apache Tomcat 10.1.0-M1 to 10.1.33
- Apache Tomcat 9.0.0.M1 to 9.0.97
Vulnerabilities
- CVE-2024-50379
- CVE-2024-54677
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.