About the Vulnerability
Introduction
The Apache Tomcat software is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform.
Summary
On December 18, 2024, Sangfor FarSight Labs received notification that an Apache-Tomcat component contains information of remote code execution vulnerability(CVE-2024-50379), classified as critical in threat level.
Apache Tomcat contains a remote code execution vulnerability. When the readonly parameter of the default Servlet is set to false, attackers can exploit a race condition to upload malicious code using the PUT method and trigger execution, leading to server compromise.
Affected Versions
9.0.0.M1 ≤ Apache Tomcat < 9.0.98
10.1.0-M1 ≤ Apache Tomcat < 10.1.34
11.0.0-M1 ≤ Apache Tomcat < 11.0.2
Solutions
Remediation Solutions
Check the System Version
In the Windows system, execute the following command under the bin directory to check the version of Tomcat: ./version.bat
Official Solution
Temporary Solution:
1.Set the readOnly parameter in the conf/web.xml file to true;
2.Disable the PUT method and restart the server to update the configuration.
Secure Versions:
Apache Tomcat 11.0.2
Apache Tomcat 10.1.34
Apache Tomcat 9.0.98
The latest version has been officially released to fix the vulnerability. Affected users are recommended to update the version of Tomcat to the secure versions and versions above.
Download link:
Tomcat 11: https://tomcat.apache.org/download-11.cgi
Tomcat 10: https://tomcat.apache.org/download-10.cgi
Tomcat 9: https://tomcat.apache.org/download-90.cgi
Sangfor Solutions
Vulnerability Proactive Detection
Support is provided for proactive detection of Tomcat Remote Code Execution Vulnerability (CVE-2024-50379); and it is capable of quickly batch identifying whether there are vulnerability risks in business scenarios. Related products are as follows:
[Sangfor Cyber Guardian MDR] is expected to release a detection scheme on December 23, 2024, with Rule ID: SF-0005-21035.
[Sangfor Omni-Command XDR] is expected to release a detection scheme on December 22, 2024, with Rule ID: SF-0005-21035.
Vulnerability Security Detection
Support is provided for monitoring Tomcat Remote Code Execution Vulnerability (CVE-2024-50379); and it is capable of monitoring the affected asset conditions in business scenarios in real-time based on traffic collection, and quickly checking the scope of impact. Related products and services are as follows:
[Sangfor Cyber Command] his expected to release a monitoring scheme on December 31, 2024, with Rule ID: 11027850.
[Sangfor Cyber Guardian MDR] has released a monitoring scheme (requiring Cyber Command component capabilities), with Rule ID: 11027850.
[Sangfor Omni-Command XDR] has released a monitoring scheme, with Rule ID: 11027850.
Security Protection
Support is provided for defense against Tomcat Remote Code Execution Vulnerability (CVE-2024-50379); and it is capable of blocking attackers' intrusion targeting this event. Related products and services are as follows:
[Sangfor Network Secure] is expected to release a protection scheme on December 31, 2024, with Rule ID: 11027850.
[Sangfor WAF] is expected to release a protection scheme on December 31, 2024, with Rule ID: 11027850.
[Sangfor Cyber Guardian MDR] is expected to release a protection scheme (requiring Network Secure component capabilities) on December 31, 2024, with Rule ID: 11027850.
[Sangfor Omni-Command XDR] is expected to release a protection scheme (requiring Network Secure component capabilities) on December 31, 2024 , with Rule ID: 11027850.
Timeline
On December 18, 2024, Sangfor FarSight Labs received notification of Tomcat Remote Code Execution Vulnerability.
On December 18, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r