Select to view content in your preferred language

ARCGIS SERVER embedded APACHE TOMCAT Server - Critical Remote Code Execution Vulnerability

408
6
01-14-2025 08:23 PM
vipulsoni
Regular Contributor

Hi,

We have ARCGIS Server 11.3 deployed in Production environment and recently the Cybersecurity Department flagged a vulnerability presence.

Vulnerability Details - 

CVE-2024-56337: Apache Tomcat Patches Critical Remote Code Execution Vulnerability (Update Apache Tomcat )- The vulnerability stems from an incomplete mitigation of previous vulnerability (CVE-2024-50379). The flaw is exploitable on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, attackers can bypass security measures and upload malicious JSP files, leading to remote code execution. Exploitation of this vulnerability enables attackers to execute arbitrary code on the affected server, potentially granting them complete control over the system.

Installed Version -

Apache Tomcat - 9.0.84.0 (ArcGIS 11.3) (Affected Version).

Product Affected Versions 
Apache Tomcat
11.0.0-M1 to 11.0.1
10.1.0-M1 to 10.1.33
9.0.0.M1 to 9.0.97

Fixed Tomcat Versions -
11.0.2 or later
10.1.34 or later
9.0.98 or later

Similar Post (but without any solution) -  https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcg...

We planned to fix this but came to understand from the above Post that even if try upgrading the Production Environment to ArcGIS Enterprise 11.4 the Apache Tomcat Version Embedded comes with vulnerable version -  Apache Tomcat -9.0.93.

This issue of Apache Tomcat needs a Patch from ESRI for the  ArcGIS Enterprise 11.3 and 11.4 versions as well.

0 Kudos
6 Replies
RyanUthoff
MVP Regular Contributor

I believe this post will address your concerns. https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...

The very last comment references the CVE you are concerned about (although you'll need to read the entire thread for the full explanation).

MikeVolz
Occasional Contributor

Where would one go on a computer (server) with ArcGIS Server installed to find out the version of Apache Tomcat?

Can this be found in Control Panel as I do not see mention of Apache Tomcat software there?

0 Kudos
George_Thompson
Esri Notable Contributor
0 Kudos
MikeVolz
Occasional Contributor

George:

The original post in this thread says:

Product Affected Versions 
Apache Tomcat
11.0.0-M1 to 11.0.1
10.1.0-M1 to 10.1.33
9.0.0.M1 to 9.0.97

I ran version.bat on my server and it returned 9.0.84.0 which appears to be within the affected range.

As such how does one get an upgraded Apache Tomcat version?

0 Kudos
vipulsoni
Regular Contributor

Tomcat can be separately downloaded from APACHE and can be updated in the ArcGIS Server installation directory, but this is not at all recommended from ESRI. it might lead system instability issues.

https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...

0 Kudos
George_Thompson
Esri Notable Contributor

As @vipulsoni said, this is not a supported / recommended path. Please see the comment from @RandallWilliams here: https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...

I would highly recommend you go over to the https://trust.arcgis.com/en/ site and look at the documentation there related to this CVE.

--- George T.
0 Kudos