Community
Select to view content in your preferred language

Apache Tomcat vulnerability CVE-2024-50379

674
2
a week ago
JohnLivengood
by
Occasional Contributor
a week ago

We're already getting pinged by our IT for a security vulnerability with Apache Tomcat released 12/17/24 - CVE-2024-50379.  I am operating on 11.3.  Assume I just need to wait for a patch to be released? 

The Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat allows for Remote Code Execution (RCE) on case insensitive file systems when the default servlet is enabled for write. This vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. An attacker can exploit this vulnerability to execute arbitrary code. It is recommended to upgrade to version 11.0.2, 10.1.34, or 9.0.08 to fix this issue.

Impact: If this vulnerability is exploited, an attacker can execute arbitrary code on the affected system, potentially leading to a complete compromise of the system.

Remediation: Apply the latest patches and updates provided by the respective vendors.

2 Replies
TimWestern
by
Frequent Contributor
a week ago

This is actually an interesting question, because, They announced deprecation of ArcGIS Maps SDK for Java in march of 2024.  https://support.esri.com/en-us/knowledge-base/arcgis-maps-sdk-for-java-deprecation-000032164 
also noted with the notice at the top of this page: https://developers.arcgis.com/java/

So if Java is not being used as an integration point, what other parts of ArcGIS that we may be deploying actually rely on Java and or Tomcat? 

0 Kudos
JohnLivengood
by
Occasional Contributor
a week ago

Apache tomcat has released an update to CVE-2024-50379.  Follow at your own peril but I downloaded the latest 9.0.98 jar file and renamed to tomcat-juli.jar.  On each server I replaced the vulnerable jar file with the latest version.  After restarting the 3 enterprise services, everything is working normally and scans are clear.  

Details on the vulnerability Apache Tomcat® - Apache Tomcat 9 vulnerabilities

Downloadable repository Central Repository: org/apache/tomcat/tomcat-juli/9.0.98

I would still recommend waiting for the official patch but if you're in a hurry...

0 Kudos