Time-of-check Time-of-use (TOCTOU) Race Condition Affecting org.apache.tomcat:tomcat-catalina package, versions [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGAPACHETOMCAT-8547998
- published22 Dec 2024
- disclosed20 Dec 2024
- creditdawu@knownsec, Sunflower@knownsec
Introduced: 20 Dec 2024
NewCVE-2024-56337 (opens in a new tab)How to fix?
Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.
Overview
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.
In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :
running on Java 8 or Java 11: the system property
sun.io.useCanonCachesmust be explicitly set to false (it defaults to true)running on Java 17: the system property
sun.io.useCanonCaches, if set, must be set to false (it defaults to false)running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)