CVE-2021-24122: Apache Tomcat Information Disclosure Flaw

CVE-2021-24122 Overview

CVE-2021-24122 is a source code disclosure vulnerability affecting Apache Tomcat when serving resources from a network location using the NTFS file system. The vulnerability allows attackers to potentially view JSP source code in certain configurations, exposing sensitive application logic, credentials, and other confidential information that should never be accessible to end users.

Critical Impact
JSP source code disclosure can expose sensitive business logic, hardcoded credentials, database connection strings, and internal application architecture to attackers, enabling further targeted attacks.

Affected Products

Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M1 to 9.0.39
Apache Tomcat 8.5.0 to 8.5.59
Apache Tomcat 7.0.0 to 7.0.106
Debian Linux 9.0
Oracle Agile PLM 9.3.3 and 9.3.6

Discovery Timeline

January 14, 2021 - CVE-2021-24122 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-24122

Vulnerability Analysis

This vulnerability stems from inconsistent behavior between the Java Runtime Environment (JRE) API and the underlying Windows API when handling file paths on NTFS network shares. When Apache Tomcat serves resources from a network location using NTFS, the File.getCanonicalPath() method may return unexpected results due to the Windows FindFirstFileW API's inconsistent handling of certain path patterns.

Under specific configurations, this behavior allows attackers to craft requests that bypass Tomcat's normal resource handling, resulting in the disclosure of raw JSP source code instead of the compiled and executed output. This type of information exposure (CWE-200) combined with the use of an incorrectly-resolved name or reference (CWE-706) creates a significant security gap.

The vulnerability specifically affects deployments where Tomcat serves content from network-mounted NTFS file systems, a common configuration in enterprise environments using Windows file servers for centralized web content management.

Root Cause

The root cause is a combination of two factors:

Windows API Inconsistency: The FindFirstFileW Windows API exhibits unexpected behavior when resolving certain file path patterns on NTFS file systems, particularly on network shares.
JRE API Behavior: The File.getCanonicalPath() method in the JRE relies on the underlying OS file system APIs for path canonicalization. When the Windows API returns inconsistent results, this propagates through to Java applications.

This mismatch allows specially crafted HTTP requests to be interpreted differently than intended, causing Tomcat to return the raw JSP source file rather than processing it through the JSP compiler.

Attack Vector

The attack requires network access to the vulnerable Tomcat server. An attacker can craft HTTP requests with manipulated file paths targeting JSP files. When the server processes these requests on an NTFS network share, the path canonicalization inconsistency may cause Tomcat to serve the raw source code instead of executing the JSP.

The attack complexity is high because it requires a specific deployment configuration (NTFS network shares) and careful path manipulation. No authentication is required, and the impact is limited to confidentiality—attackers can read source code but cannot directly modify files or cause service disruption through this vulnerability alone.

Detection Methods for CVE-2021-24122

Indicators of Compromise

Unusual HTTP request patterns containing path manipulation characters targeting .jsp files
Web server logs showing successful responses with Content-Type: text/plain for JSP resources
Requests containing encoded path separators or alternate data stream references
Anomalous access patterns to JSP files from external IP addresses

Detection Strategies

Monitor HTTP access logs for requests to JSP files with unusual path patterns or encoded characters
Implement web application firewall (WAF) rules to detect and block path traversal and manipulation attempts
Configure intrusion detection systems to alert on responses containing JSP syntax patterns (e.g., <%, %>, scriptlet tags)
Review server configurations to identify Tomcat instances serving content from network NTFS shares

Monitoring Recommendations

Enable detailed access logging on Apache Tomcat to capture full request URIs and response codes
Set up alerting for responses to JSP files that return plain text content types
Monitor for reconnaissance activity targeting web application structure and file extensions
Conduct regular security audits of Tomcat deployment configurations

How to Mitigate CVE-2021-24122

Immediate Actions Required

Upgrade Apache Tomcat to version 10.0.0-M10+, 9.0.40+, 8.5.60+, or 7.0.107+ immediately
Review and audit any Tomcat deployments serving content from network NTFS shares
Implement network segmentation to restrict access to internal Tomcat instances
Enable web application firewall rules to filter suspicious path patterns

Patch Information

Apache has released patched versions that address the path canonicalization issue. Organizations should upgrade to the following minimum versions:

Tomcat 10.x: Upgrade to 10.0.0-M10 or later
Tomcat 9.x: Upgrade to 9.0.40 or later
Tomcat 8.5.x: Upgrade to 8.5.60 or later
Tomcat 7.x: Upgrade to 7.0.107 or later

For additional vendor-specific patches, refer to the Apache Tomcat Security Announcement, Debian LTS Security Advisory, and Oracle July 2021 Security Alert.

Workarounds

Avoid serving Tomcat web applications directly from NTFS network shares; use local file systems instead
If network shares are required, consider using non-NTFS file systems such as SMB shares on Linux servers
Implement strict request filtering at the reverse proxy or load balancer level to sanitize incoming paths
Configure security constraints in web.xml to restrict direct access to JSP files where possible

bash

# Example: Verify Tomcat version and check for vulnerable configuration
# Check current Tomcat version
catalina.sh version

# Review server.xml for docBase attributes pointing to network shares
grep -i "docBase" $CATALINA_HOME/conf/server.xml

# Example: Upgrade Tomcat on Linux
# Stop Tomcat service
systemctl stop tomcat

# Download and install patched version (example for 9.0.40+)
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.40/bin/apache-tomcat-9.0.40.tar.gz

# Verify checksum and extract
tar -xzf apache-tomcat-9.0.40.tar.gz

# Restart Tomcat
systemctl start tomcat

CVE-2021-24122 Overview

Critical Impact
JSP source code disclosure can expose sensitive business logic, hardcoded credentials, database connection strings, and internal application architecture to attackers, enabling further targeted attacks.

Affected Products

Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M1 to 9.0.39
Apache Tomcat 8.5.0 to 8.5.59
Apache Tomcat 7.0.0 to 7.0.106
Debian Linux 9.0
Oracle Agile PLM 9.3.3 and 9.3.6

Discovery Timeline

January 14, 2021 - CVE-2021-24122 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-24122

Vulnerability Analysis

Root Cause

The root cause is a combination of two factors:

Windows API Inconsistency: The FindFirstFileW Windows API exhibits unexpected behavior when resolving certain file path patterns on NTFS file systems, particularly on network shares.
JRE API Behavior: The File.getCanonicalPath() method in the JRE relies on the underlying OS file system APIs for path canonicalization. When the Windows API returns inconsistent results, this propagates through to Java applications.

This mismatch allows specially crafted HTTP requests to be interpreted differently than intended, causing Tomcat to return the raw JSP source file rather than processing it through the JSP compiler.

Attack Vector

Detection Methods for CVE-2021-24122

Indicators of Compromise

Unusual HTTP request patterns containing path manipulation characters targeting .jsp files
Web server logs showing successful responses with Content-Type: text/plain for JSP resources
Requests containing encoded path separators or alternate data stream references
Anomalous access patterns to JSP files from external IP addresses

Detection Strategies

Monitor HTTP access logs for requests to JSP files with unusual path patterns or encoded characters
Implement web application firewall (WAF) rules to detect and block path traversal and manipulation attempts
Configure intrusion detection systems to alert on responses containing JSP syntax patterns (e.g., <%, %>, scriptlet tags)
Review server configurations to identify Tomcat instances serving content from network NTFS shares

Monitoring Recommendations

Enable detailed access logging on Apache Tomcat to capture full request URIs and response codes
Set up alerting for responses to JSP files that return plain text content types
Monitor for reconnaissance activity targeting web application structure and file extensions
Conduct regular security audits of Tomcat deployment configurations

How to Mitigate CVE-2021-24122

Immediate Actions Required

Upgrade Apache Tomcat to version 10.0.0-M10+, 9.0.40+, 8.5.60+, or 7.0.107+ immediately
Review and audit any Tomcat deployments serving content from network NTFS shares
Implement network segmentation to restrict access to internal Tomcat instances
Enable web application firewall rules to filter suspicious path patterns

Patch Information

Apache has released patched versions that address the path canonicalization issue. Organizations should upgrade to the following minimum versions:

Tomcat 10.x: Upgrade to 10.0.0-M10 or later
Tomcat 9.x: Upgrade to 9.0.40 or later
Tomcat 8.5.x: Upgrade to 8.5.60 or later
Tomcat 7.x: Upgrade to 7.0.107 or later

For additional vendor-specific patches, refer to the Apache Tomcat Security Announcement, Debian LTS Security Advisory, and Oracle July 2021 Security Alert.

Workarounds

Avoid serving Tomcat web applications directly from NTFS network shares; use local file systems instead
If network shares are required, consider using non-NTFS file systems such as SMB shares on Linux servers
Implement strict request filtering at the reverse proxy or load balancer level to sanitize incoming paths
Configure security constraints in web.xml to restrict direct access to JSP files where possible

bash

# Example: Verify Tomcat version and check for vulnerable configuration
# Check current Tomcat version
catalina.sh version

# Review server.xml for docBase attributes pointing to network shares
grep -i "docBase" $CATALINA_HOME/conf/server.xml

# Example: Upgrade Tomcat on Linux
# Stop Tomcat service
systemctl stop tomcat

# Download and install patched version (example for 9.0.40+)
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.40/bin/apache-tomcat-9.0.40.tar.gz

# Verify checksum and extract
tar -xzf apache-tomcat-9.0.40.tar.gz

# Restart Tomcat
systemctl start tomcat

CVE-2021-24122: Apache Tomcat Information Disclosure Flaw

CVE-2021-24122 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-24122

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-24122

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-24122

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-24122: Apache Tomcat Information Disclosure Flaw

CVE-2021-24122 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-24122

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-24122

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-24122

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform