CVE-2024-50379: Apache Tomcat Race Condition Vulnerability

CVE-2024-50379 Overview

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Critical Impact

This vulnerability allows remote code execution (RCE) due to the race condition present in JSP compilation under specific configurations.

Affected Products

• Apache Tomcat
• NetApp Bootstrap_OS
• NetApp HCI Compute Node

Discovery Timeline

• Not Available - Vulnerability discovered by Not Available
• Not Available - Responsible disclosure to Apache
• Not Available - CVE CVE-2024-50379 assigned
• Not Available - Apache releases security patch
• 2024-12-17 - CVE CVE-2024-50379 published to NVD
• 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2024-50379

Vulnerability Analysis

The vulnerability is rooted in a race condition that occurs during JSP compilation in Apache Tomcat. Specifically, the time-of-check to time-of-use (TOCTOU) discrepancy allows an attacker to exploit the JSP compilation process to execute arbitrary code on case-insensitive file systems when the default servlet is configured to allow write access, which is not a default configuration.

Root Cause

The root cause of this vulnerability is the improper handling of file and request checks in environments with case-insensitive file systems, leading to a race condition that can be leveraged for remote code execution.

Attack Vector

The attack vector for this vulnerability is remote, requiring network access to exploit the improper JSP handling under certain configurations of Apache Tomcat.

// Example exploitation code (sanitized)
File file = new File("/path/to/jsp.jsp");
if(file.canWrite()) {
    // Exploit the race condition here
    Runtime.getRuntime().exec("malicious_code");
}

Detection Methods for CVE-2024-50379

Indicators of Compromise

• Unusual write activity to JSP files
• Unexpected restart of Tomcat service
• Creation of unfamiliar JSP files

Detection Strategies

Monitoring JSP write access logs and auditing changes to the file system can aid in detecting potential exploitation attempts. Additionally, using SentinelOne's behavioral AI engine to monitor for abnormal process execution can identify successful exploitation.

Monitoring Recommendations

Implement continuous monitoring of Tomcat server logs and track changes to critical files. Use file integrity monitoring tools to detect unauthorized modifications to JSP files.

How to Mitigate CVE-2024-50379

Immediate Actions Required

• Disable write access for the default servlet in Apache Tomcat
• Upgrade to fixed versions: 11.0.2, 10.1.34, or 9.0.98
• Implement tighter permissions on file systems

Patch Information

Refer to the official Apache Tomcat advisory for patching instructions: Apache Advisory

Workarounds

Disable the default servlet's write capabilities if not required, and strictly control access to the server's file system.

# Configuration example
<Context>
    <!-- Disable writable directory listings -->
    <Loader delegate="true" />
    <Resources>
        <PostResources className="org.apache.catalina.webresources.DirResourceSet"
                       base="/usr/local/tomcat/webapps/"
                       webAppMount="/WEB-INF/classes" />
    </Resources>
</Context>