Apache Tomcat Security Updates - 24 December 2024

344/2024

High

December 24, 2024

12:59 pm

Apache has released security updates to address a vulnerability affecting multiple versions of Apache Tomcat.

The addressed vulnerability could allow the remote attacker to execute arbitrary code, bypass intended file system access controls, and gain access to the affected systems.

Apache Tomcat Code Execution Vulnerability (CVE-2024-56337):

CVSS: 8.1
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Consequences: Gain Access

The affected products:

Apache Tomcat 11.0.0-M1 to 11.0.1.
Apache Tomcat 10.1.0-M1 to 10.1.33.
Apache Tomcat 9.0.0.M1 to 9.0.97.

It should be highlighted that the (KnownSec 404) team has been reporting CVE2024-56337 with a proof-of-concept (PoC) code and it should also be noted that the fixed vulnerability CVE-2024-56337 has been described as an incomplete mitigation for CVE-2024-50379, a critical remote code execution (RCE), for which the vendor released a patch on December 17.

Vulnerabilities

CVE-2024-56337

Mitigations

The enterprise should deploy this patch as soon as the testing phase is completed.

Apache Tomcat Security Advisory

References

Apache Tomcat Security Advisory

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.