Login
    Contents x
    Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
    • 09 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

    • Updated on 09 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

    The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions.

    The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.

    This affects Comflow installations on Windows that are running Tomcat 9. This practically means all Comflow 2.22 and 2.24 installations on Windows and possibly some older Comflow installations, too, in case they have been upgraded in the past to Tomcat 9. The Apache 

    The mitigation is to upgrade Tomcat 9 to Tomcat 9.0.98 or newer. Depending on java version, additional steps are required (see details below).

    It should be mentioned that Tomcat 6.0, 7.0, 8.0 and 8.5 all have reached end-of-life and the fact that they are not mentioned in the vulnerability log does not imply that the vulnerability could not be present in those Tomcat versions. It is generally not recommendable to stay on an unsupported Tomcat version since it no longer receives security updates.

    For more information about the vulnerability, see https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html?m=1

    Tomcat 9 Upgrade

    Go to https://tomcat.apache.org/download-90.cgi for download and install according to standard procedure.

    Java 8 and 11

    For Java 8 (Comflow 2.22 and older) you have to disable canonical file caches, which is a feature that is not used by Comflow standard. You do this by setting the following on the Tomcat Service and restart:

    -Dsun.io.useCanonCaches=false


    See example below:

    (This also goes for Java 11, although there is no Comflow version for which Java 11 is recommended.)

    Java 17

    In Java 17 (Comflow 2.24), the property sun.io.useCanonCaches defaults to false, which is also what we want. You only need to check that it has not been explicitly set true (which is admittedly highly unlikely).

    Java 21

    In Java 21 or higher (future Comflow 3 releases), no action is required (because the propertysun.io.useCanonCaches no longer exists).



    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout