Article

Neutralizing Apache Tomcat CVE-2024-56337 and CVE-2024-50379

Recently (just before the holidays) two CVEs were uncovered and made public in Apache Tomcat (CVE-2024-56337 and CVE-2024-50379). Both vulnerabilities, stemming from Time-of-check Time-of-use (TOCTOU) race conditions, present the opportunity for an attacker to remotely execute arbitrary code in a target’s system. 

TOCTOU vulnerabilities exploit timing discrepancies between when a condition is checked and when it is used, allowing attackers to manipulate the state of a system and bypass normal security measures. Remote code execution (RCE) exploits can compromise sensitive data, disrupt operations, and escalate privileges—posing a severe risk to businesses that depend on Tomcat-based systems. These vulnerabilities are particularly challenging to detect and prevent, as they take advantage of how systems process commands in real time.

Understanding CVE-2024-56337 and CVE-2024-50379

The Apache Software Foundation (ASF) revealed that CVE-2024-56337 is an incomplete mitigation of CVE-2024-50379, a critical vulnerability with a CVSS score of 9.8. Both vulnerabilities exploit TOCTOU conditions on case-insensitive file systems when the Tomcat default servlet is configured for write access. By concurrently uploading and reading files, attackers can bypass case-sensitivity checks, treating uploaded files as executable JSP scripts, thereby enabling remote code execution (RCE).

The vulnerabilities affect multiple Tomcat versions:

  • 11.0.0-M1 to 11.0.1 (Fixed in 11.0.2 or later)
  • 10.1.0-M1 to 10.1.33 (Fixed in 10.1.34 or later)
  • 9.0.0.M1 to 9.0.97 (Fixed in 9.0.98 or later)

While ASF recommends upgrading and reconfiguring systems based on Java versions, the process is far from straightforward for businesses reliant on highly customized, legacy environments.

Exploitation Impacts: A Business Nightmare

If successfully exploited, these vulnerabilities can wreak havoc. RCE enables attackers to execute arbitrary code, compromising sensitive data, disrupting operations, and potentially escalating privileges to compromise entire systems. For businesses, this could mean leaked customer information, downtime, reputational damage, and financial loss. Worse still, patching these vulnerabilities is often a lengthy process involving regression testing, rewriting customizations, and handling potential disruptions—leaving organizations exposed in the interim. The whole process can be extremely costly, particularly to under-resourced security teams. There are also costs associated with downtime and service disruptions. 

Waratek: Proactive Protection Against Zero-Days

The vulnerabilities CVE-2024-56337 and CVE-2024-50379 are prime examples of how attackers exploit gaps in application security. Addressing these threats requires a proactive approach to ensure organizations remain secure, even before vulnerabilities are identified and publicized. Many organizations face significant challenges when it comes to timely upgrades due to dependencies on legacy environments, custom configurations, or the need for rigorous regression testing. These delays leave systems vulnerable for extended periods — untenable in the modern threat landscape.

Speeding up the vulnerability remediation process and avoiding system downtime should be every security team’s top priority. Advanced runtime protection mechanisms offer just that. A quality RASP solution like the Waratek platform can analyze how commands interact with the runtime environment.

Waratek also enables security teams to apply immutable rules that target vulnerabilities like Path Traversal or TOCTOU race conditions which neutralize exploitation attempts in real-time. By intercepting unauthorized actions—such as malicious file uploads treated as executable scripts—these measures prevent attackers from compromising systems with attack vectors like these Apache Tomcat vulnerabilities.

Meanwhile, our virtual patching capabilities address vulnerabilities at runtime without requiring immediate changes to the codebase or system configurations. This allows organizations to mitigate threats instantly while planning and executing permanent fixes at their own pace. This ensures continuous protection, regardless of whether the vulnerability is zero-day or a known issue.

How Waratek’s Path Traversal Rule Neutralizes Risk

Current Waratek customers may already be protected from CVE-2024-56337 and CVE-2024-50379 under the Path Traversal rule. These vulnerabilities exploit the gap between the initial file or path validation (check) and subsequent use (execution). The Path Traversal rule addresses this by intercepting and inspecting all filesystem operations during execution to ensure that only authorized and validated paths are accessed, regardless of whether the attacker has manipulated the input.

The rule continuously monitors every filesystem interaction during the application’s runtime. This includes file reads, writes, and executions. If an attempted access deviates from the expected or authorized path, the operation is blocked immediately. Attack vectors exploiting TOCTOU conditions rely on rapid alterations of a path’s properties during processing. Waratek’s rule eliminates this attack vector by reevaluating the path at the exact moment it is accessed, neutralizing timing-related exploits.

Activating the Path Traversal Rule as a Waratek Customer

If you are a Waratek customer and do not currently have the Path Traversal rule activated, follow these steps to enable it:

  1. Access the Waratek Management Console:
    • Log into the Waratek platform using your admin credentials.
  2. Navigate to Rule Management:
    • Go to the section labeled “Security Rules” or “Runtime Protection.”
  3. Locate the Path Traversal Rule:
    • Look for the specific rule under “Filesystem Protections” or use the search bar to find “Path Traversal.”
  4. Activate the Rule:
    • If the rule is not already active, toggle it to “On” or select the “Activate” button, depending on your interface version.
  5. Customize Conditions (Optional):
    • If your environment has unique requirements, you can refine the rule’s parameters. For instance, you can specify directories or file patterns that require additional monitoring or exclusions.
  6. Apply and Deploy:
    • Save the changes and deploy the updated rule set. Waratek’s platform will dynamically apply the rule without requiring system restarts.
  7. Verify Activation:
    • Use the Waratek audit logs or rule status section to confirm that the Path Traversal rule is active and applied to your application.

By activating this rule, you gain immediate protection against these vulnerabilities without requiring code changes or downtime for patch implementation.

The Bottom Line

The last thing businesses need when grappling with potential system compromise is more downtime. Security and ops teams need solutions that just work — and quickly. For enterprises grappling with the complexity of securing their systems, Waratek simplifies the equation. Whether it’s one of these two CVEs or the next undisclosed zero-day, Waratek provides an efficient and reliable shield. 

Learn more about how Waratek’s solutions can protect you from the next big vulnerability to make headlines by taking a tour of our platform here.

Related resources

Ready to scale Security with modern software development?

Work with us to accelerate your adoption of Security-as-Code to deliver application security at scale.