Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks    CRITICAL CVSS Score: 9.8

Information:

  Apache Tomcat is a free, open-source Java servlet container. It hosts Java-based web applications, implementing Java Servlet and Java Server Pages (JSP) specifications. Tomcat provides a robust and scalable environment for dynamic web content, managing Java servlets to process requests and generate responses efficiently.

Incident :

  The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.

  The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.

  "Users running Tomcat on a case insensitive file system with the default servlet write enabled (read only initialization parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat," the project maintainers said in an advisory last week.

  Both the flaws are Time-of-check Time-of-use (TOCTOU) race condition vulnerabilities that could result in code execution on case-insensitive file systems when the default servlet is enabled for write.

  "Concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution," Apache noted in an alert for CVE-2024-50379. 

The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting both shortcomings. It also acknowledged the KnownSec 404 Team for independently reporting CVE-2024-56337 with a proof-of-concept (PoC) code.

  The disclosure comes as the Zero Day Initiative (ZDI) shared details of a critical bug in Webmin (CVE-2024-12828, CVSS score: 9.9) that allows authenticated remote attackers to execute arbitrary code.

  The specific flaw exists within the handling of CGI requests," the ZDI said. "The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

CVE-2024-56337 impacts the below versions of Apache Tomcat -

  • Apache Tomcat 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
  • Apache Tomcat 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
  • Apache Tomcat 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)

Additionally, users are required to carry out the following configuration changes depending on the version of Java being run -

  • Java 8 or Java 11 - Explicitly set system property sun.io.useCanonCaches to false (it defaults to true)
  • Java 17 - Set system property sun.io.useCanonCaches to false, if already set (it defaults to false)
  • Java 21 and later - No action is required, as the system property has been removed

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-56359

20/12/2024

20/12/2024

grist-core before versions 1.3.2

Cross-Site Scripting

8.1

A vulnerability where users might be attacked if they visit a malicious document and click on a hyperlink in a cell using a command modifier (e.g., Ctrl+Click). This is because such links could use the "javascript:" scheme and be executed within the context of the user's current web page.

Update to version 1.3.2

https://www.cvedetails.com/cve/CVE-2024-56359/
2

CVE-2024-56356

20/12/2024

20/12/2024

JetBrains TeamCity before versions 2024.12

XML External Entity

5.9

In JetBrains TeamCity versions prior to 2024.12, there was an insecure configuration of XMLParser that could lead to XXE (XML External Entity) attacks.

Update to version 2024.12.

https://www.jetbrains.com/privacy-security/issues-fixed/
3

CVE-2024-51464

2/12/2024

21/12/2024

IBM i versions 7.3, 7.4, and 7.5

Privilege Escalation

4.3

There is a vulnerability that allows bypassing the restrictions of the Navigator for i interface. An authenticated attacker could send specially crafted requests to exploit this vulnerability and perform certain actions remotely that the user is not authorized to execute via Navigator for i.

IBM i versions 7.3 SJ02359,7.4 SJ02360, and 7.5 SJ02361.

https://www.ibm.com/support/pages/node/7179509
 4  CVE-2024-56334  20/12/2024  20/12/2024

 Node.js

  Remote Code Execution (RCE) / Local Privilege Escalation (LPE)  7.8  Systeminformation is a library for retrieving system and operating system information in Node.js. In the affected versions, SSID values were not safely sanitized before being passed as parameters to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID could potentially be executed as an operating system command.  Update to version 5.23.7  https://nvd.nist.gov/vuln/detail/CVE-2024-56334
5

CVE-2024-56333

20/12/2024

20/12/2024

Onyxia

Remote Code Execution

9.4

This critical vulnerability allows an authenticated user to execute remote code within the Onyxia-API. This could result in various impacts, such as unauthorized access to other users' environments or Denial of Service (DoS) attacks.

Update to versions 4.2.0, 3.1.1, and 2.8.2

https://www.cvedetails.com/vulnerability-list/year-2024/month-12/December.html?page=1&order=1

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

ZLoader Malware Returns With DNS Tunneling

11/12/2024

DNS Tunneling, Interactive Shell, Privilege Escalation, Ransomware Deployment

ZLoader is a malware that is developed from the Zeus Trojan and is constantly being updated to improve its attack and evasion capabilities. The latest version, 2.9.4.0, includes important features such as DNS tunneling to avoid detection by security systems and an interactive shell that allows attackers to take control of the system, such as executing code and stealing data. It also uses sophisticated techniques to avoid analysis. ZLoader is a valuable tool in attacks, especially in helping to pave the way for ransomware attacks.

  • 1.Keep software and systems up to date

    2.Train employees on how to prevent phishing attacks and avoid emails with malicious links or attachments.

    3.Employ endpoint protection and network monitoring to detect exploitation attempts.

Ref: https://thehackernews.com/2024/12/zloader-malware-returns-with-dns.html

06 January 2025

Viewed 202 time

Engine by shopup.com