Apache security advisory (AV24-722) - Update 1

Serial number: AV24-722
Date: December 18, 2024

On December 17, 2024, Apache published a security advisory to address a critical vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in the following products:

• Apache Tomcat – versions 11.0.0-M1 to 11.0.1
• Apache Tomcat – versions 10.1.0-M1 to 10.1.33
• Apache Tomcat – versions 9.0.0.M1 to 9.0.97

Update 1

On December 20, 2024, Apache updated its advisory to address the incomplete mitigation for CVE-2024-50379, now being tracked as CVE-2024-56337. Full mitigation requires additional steps on top of the updates Apache released on December 17. These additional steps depend on the specific Java versions in use:

• For Java 8 or 11, it is recommended to set the system property ‘sun.io.useCanonCaches’ to ‘false’ (default: true).
• For Java 17, ensure ‘sun.io.useCanonCaches,’ if set, is configured as false (default: false).
• For Java 21 and later, no configuration is needed. The property and problematic cache have been removed.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• [SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet
• Fixed in Apache Tomcat 9.0.98
• Fixed in Apache Tomcat 10.1.34
• Fixed in Apache Tomcat 11.0.2
• Apache Tomcat