Time-of-check Time-of-use (TOCTOU) Race Condition Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHETOMCATEMBED-8547999
  • published22 Dec 2024
  • disclosed20 Dec 2024
  • creditdawu@knownsec, Sunflower@knownsec

Introduced: 20 Dec 2024

NewCVE-2024-56337  (opens in a new tab)
CWE-367  (opens in a new tab)

How to fix?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

  1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

  2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

  3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

CVSS Scores

version 4.0
version 3.1