Critical Tomcat vulnerability (CVE-2024-56337, CVE-2024-50379)
- Ylva Andersson
Latest update date of this article:
2025-01-08
General information
A new critical security vulnerability for Tomcat application servers was reported on 2024-12-20. The vulnerability opens a remote code execution (RCE) flaw, which can only be abused on operating systems with non-case-sensitive file systems. This practically affects all Tomcat servers running on Windows Server. We recommend all customers running Tomcat-based Nexus components to update their systems as described below.
Linux-based or Docker-based installations are not affected.
Official sites for the CVEs
https://nvd.nist.gov/vuln/detail/CVE-2024-56337
https://nvd.nist.gov/vuln/detail/CVE-2024-50379
Affected components
Only Tomcat installations on non-case insensitive file systems (for example Windows Server) are affected.
If you have one of the following Nexus server components hosted on Windows, please update your Tomcat installation(s):
Identity Manager
Hermod
Update Tomcat version
Users are recommended to upgrade to Tomcat version 9.0.98,10.1.34 or 11.0.2, which fixes the issue.
Tomcat version 9.0.x:
Update to 9.0.98 or higher
Tomcat startup configuration
Ensure that the Java system property sun.io.useCanonCache is set for Tomcat as described below:
Related content
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions