Skip to main content
Support

KB Article #189500

SECURITY: Vulnerability in Apache Tomcat before version 9.0.97 (CVE-2024-50379, CVE-2024-56337)

Problem

CVE-2024-50379 | 56337 vulnerability has been discovered affecting Apache Tomcat versions 9.0.97 and lower.


Apache Tomcat is embedded in SecureTransport and used to serve the Administration Tool service and SecureTransport versions prior to 5.5-20241219 (Dec 2024) contain Tomcat version 9.0.97 or lower which may be flagged by security scanners.


SecureTransport versions 5.5-20241219 and higher are unaffected as they contain Tomcat version >9.0.98.


Resolution

Axway R&D analyzed the issue with the following result:


SecureTransport current version and all supported previous versions are NOT vulnerable to CVE-2024-50379 | CVE-2024-56337.

Nevertheless, customers are advised to upgrade to 5.5-20241219 or higher to take advantage of the latest Java 21 and Tomcat security fixes and mechanisms.


Detailed analysis:

The attack is described as:


If the default servlet is write-enabled ("readonly" initialization parameter set to the non-default value "false") on a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat’s case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.


The issue is linked with the org.apache.catalina.servlets.DefaultServlet that is included with the Tomcat application server. This servlet is configured in ${CATALINA_HOME}/conf/web.xml and mapped to "/", serving files if no other servlet is mapped to an application. It allows only GET (read operations) by default but it can be configured to allow file uploads by explicitly adding a readonly=false clause in the settings.


The other key prerequisite for exploiting this issue is that Tomcat is installed on case insensitive file system which may be the case on Microsoft Windows OS. While SecureTransport can be deployed on a Windows Server OS, the case that an OS administrator has modified the web.xml is highly unlikely. The embedded Tomcat in SecureTransport is overwritten on every product update and not intended for manual configuration modifications or serving any other content than its dedicated purpose - to serve only the Administration Tool application with its preconfigured settings.


You can manually verify if such modification is in place.


Verification steps

Verify that these files:


  • <FILEDRIVEHOME>/tomcat/conf/web.xml
  • <FILEDRIVEHOME>/tomcat/admin/conf/web.xml
  • <FILEDRIVEHOME>/tomcat/as2/conf/web.xml


do not include the following two lines in the DefaultServlet section:


<param-name>readonly</param-name>
<param-value>false</param-value>