Time-of-check Time-of-use (TOCTOU) Race Condition Affecting org.apache.tomcat:tomcat-catalina package, versions [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

• Apache Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit