CVE-2021-24122 Overview
CVE-2021-24122 is a source code disclosure vulnerability affecting Apache Tomcat when serving resources from a network location using the NTFS file system. The vulnerability allows attackers to potentially view JSP source code in certain configurations, exposing sensitive application logic, credentials, and other confidential information that should never be accessible to end users.
Critical Impact
JSP source code disclosure can expose sensitive business logic, hardcoded credentials, database connection strings, and internal application architecture to attackers, enabling further targeted attacks.
Affected Products
- Apache Tomcat 10.0.0-M1 to 10.0.0-M9
- Apache Tomcat 9.0.0.M1 to 9.0.39
- Apache Tomcat 8.5.0 to 8.5.59
- Apache Tomcat 7.0.0 to 7.0.106
- Debian Linux 9.0
- Oracle Agile PLM 9.3.3 and 9.3.6
Discovery Timeline
- January 14, 2021 - CVE-2021-24122 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-24122
Vulnerability Analysis
This vulnerability stems from inconsistent behavior between the Java Runtime Environment (JRE) API and the underlying Windows API when handling file paths on NTFS network shares. When Apache Tomcat serves resources from a network location using NTFS, the File.getCanonicalPath() method may return unexpected results due to the Windows FindFirstFileW API's inconsistent handling of certain path patterns.
Under specific configurations, this behavior allows attackers to craft requests that bypass Tomcat's normal resource handling, resulting in the disclosure of raw JSP source code instead of the compiled and executed output. This type of information exposure (CWE-200) combined with the use of an incorrectly-resolved name or reference (CWE-706) creates a significant security gap.
The vulnerability specifically affects deployments where Tomcat serves content from network-mounted NTFS file systems, a common configuration in enterprise environments using Windows file servers for centralized web content management.
Root Cause
The root cause is a combination of two factors:
Windows API Inconsistency: The FindFirstFileW Windows API exhibits unexpected behavior when resolving certain file path patterns on NTFS file systems, particularly on network shares.
JRE API Behavior: The File.getCanonicalPath() method in the JRE relies on the underlying OS file system APIs for path canonicalization. When the Windows API returns inconsistent results, this propagates through to Java applications.
This mismatch allows specially crafted HTTP requests to be interpreted differently than intended, causing Tomcat to return the raw JSP source file rather than processing it through the JSP compiler.
Attack Vector
The attack requires network access to the vulnerable Tomcat server. An attacker can craft HTTP requests with manipulated file paths targeting JSP files. When the server processes these requests on an NTFS network share, the path canonicalization inconsistency may cause Tomcat to serve the raw source code instead of executing the JSP.
The attack complexity is high because it requires a specific deployment configuration (NTFS network shares) and careful path manipulation. No authentication is required, and the impact is limited to confidentiality—attackers can read source code but cannot directly modify files or cause service disruption through this vulnerability alone.
Detection Methods for CVE-2021-24122
Indicators of Compromise
- Unusual HTTP request patterns containing path manipulation characters targeting .jsp files
- Web server logs showing successful responses with Content-Type: text/plain for JSP resources
- Requests containing encoded path separators or alternate data stream references
- Anomalous access patterns to JSP files from external IP addresses
Detection Strategies
- Monitor HTTP access logs for requests to JSP files with unusual path patterns or encoded characters
- Implement web application firewall (WAF) rules to detect and block path traversal and manipulation attempts
- Configure intrusion detection systems to alert on responses containing JSP syntax patterns (e.g., <%, %>, scriptlet tags)
- Review server configurations to identify Tomcat instances serving content from network NTFS shares
Monitoring Recommendations
- Enable detailed access logging on Apache Tomcat to capture full request URIs and response codes
- Set up alerting for responses to JSP files that return plain text content types
- Monitor for reconnaissance activity targeting web application structure and file extensions
- Conduct regular security audits of Tomcat deployment configurations
How to Mitigate CVE-2021-24122
Immediate Actions Required
- Upgrade Apache Tomcat to version 10.0.0-M10+, 9.0.40+, 8.5.60+, or 7.0.107+ immediately
- Review and audit any Tomcat deployments serving content from network NTFS shares
- Implement network segmentation to restrict access to internal Tomcat instances
- Enable web application firewall rules to filter suspicious path patterns
Patch Information
Apache has released patched versions that address the path canonicalization issue. Organizations should upgrade to the following minimum versions:
- Tomcat 10.x: Upgrade to 10.0.0-M10 or later
- Tomcat 9.x: Upgrade to 9.0.40 or later
- Tomcat 8.5.x: Upgrade to 8.5.60 or later
- Tomcat 7.x: Upgrade to 7.0.107 or later
For additional vendor-specific patches, refer to the Apache Tomcat Security Announcement, Debian LTS Security Advisory, and Oracle July 2021 Security Alert.
Workarounds
- Avoid serving Tomcat web applications directly from NTFS network shares; use local file systems instead
- If network shares are required, consider using non-NTFS file systems such as SMB shares on Linux servers
- Implement strict request filtering at the reverse proxy or load balancer level to sanitize incoming paths
- Configure security constraints in web.xml to restrict direct access to JSP files where possible
# Example: Verify Tomcat version and check for vulnerable configuration
# Check current Tomcat version
catalina.sh version
# Review server.xml for docBase attributes pointing to network shares
grep -i "docBase" $CATALINA_HOME/conf/server.xml
# Example: Upgrade Tomcat on Linux
# Stop Tomcat service
systemctl stop tomcat
# Download and install patched version (example for 9.0.40+)
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.40/bin/apache-tomcat-9.0.40.tar.gz
# Verify checksum and extract
tar -xzf apache-tomcat-9.0.40.tar.gz
# Restart Tomcat
systemctl start tomcat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
