Latest update date of this article:
2025-01-08
General information
A new critical security vulnerability for Tomcat application servers was reported on 2024-12-20. The vulnerability opens a remote code execution (RCE) flaw, which can only be abused on operating systems with non-case-sensitive file systems. This practically affects all Tomcat servers running on Windows Server. We recommend all customers running Tomcat-based Nexus components to update their systems as described below.
Linux-based or Docker-based installations are not affected.
Official sites for the CVEs
https://nvd.nist.gov/vuln/detail/CVE-2024-56337
https://nvd.nist.gov/vuln/detail/CVE-2024-50379
Affected components
Only Tomcat installations on non-case insensitive file systems (for example Windows Server) are affected.
If you have one of the following Nexus server components hosted on Windows, please update your Tomcat installation(s):
Identity Manager
Hermod
Update Tomcat version
Users are recommended to upgrade to Tomcat version 9.0.98,10.1.34 or 11.0.2, which fixes the issue.
Tomcat version 9.0.x:
Update to 9.0.98 or higher
Tomcat version 10.1.x:
Update to 10.1.34 or higher
Tomcat version 11.0.x:
Update to 11.0.2 or higher
Tomcat startup configuration
Check if your Tomcat configuration contains the parameter sun.io.useCanonCache and if so, modify it as described below:
Running on Java 8 or Java 11:
Set the system property sun.io.useCanonCaches to false. It defaults to true.
Running on Java 17:
Set the system property sun.io.useCanonCaches, if set, to false. It defaults to false.
Running on Java 21 and later versions:
No further configuration is required. The system property and the problematic cache have been removed.