Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Critical Tomcat vulnerability (CVE-2024-56337, CVE-2024-50379)

Owned by Ylva Andersson
Last updated: about 5 hours agoVersion comment
1 min read

Latest update date of this article:
2025-01-08

General information

A new critical security vulnerability for Tomcat application servers was reported on 2024-12-20. The vulnerability opens a remote code execution (RCE) flaw, which can only be abused on operating systems with non-case-sensitive file systems. This practically affects all Tomcat servers running on Windows Server. We recommend all customers running Tomcat-based Nexus components to update their systems as described below.

Linux-based or Docker-based installations are not affected.

Official sites for the CVEs

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

Affected components

Only Tomcat installations on non-case insensitive file systems (for example Windows Server) are affected.

If you have one of the following Nexus server components hosted on Windows, please update your Tomcat installation(s):

  • Identity Manager

  • Hermod

Update Tomcat version

Users are recommended to upgrade to Tomcat version 9.0.98,10.1.34 or 11.0.2, which fixes the issue.

Tomcat version 9.0.x:

  • Update to 9.0.98 or higher

Tomcat startup configuration

Ensure that the Java system property sun.io.useCanonCache is set for Tomcat as described below:

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions