CVE-2024-50379 Overview
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Critical Impact
This vulnerability allows remote code execution (RCE) due to the race condition present in JSP compilation under specific configurations.
Affected Products
- Apache Tomcat
- NetApp Bootstrap_OS
- NetApp HCI Compute Node
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Apache
- Not Available - CVE CVE-2024-50379 assigned
- Not Available - Apache releases security patch
- 2024-12-17 - CVE CVE-2024-50379 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-50379
Vulnerability Analysis
The vulnerability is rooted in a race condition that occurs during JSP compilation in Apache Tomcat. Specifically, the time-of-check to time-of-use (TOCTOU) discrepancy allows an attacker to exploit the JSP compilation process to execute arbitrary code on case-insensitive file systems when the default servlet is configured to allow write access, which is not a default configuration.
Root Cause
The root cause of this vulnerability is the improper handling of file and request checks in environments with case-insensitive file systems, leading to a race condition that can be leveraged for remote code execution.
Attack Vector
The attack vector for this vulnerability is remote, requiring network access to exploit the improper JSP handling under certain configurations of Apache Tomcat.
// Example exploitation code (sanitized)
File file = new File("/path/to/jsp.jsp");
if(file.canWrite()) {
// Exploit the race condition here
Runtime.getRuntime().exec("malicious_code");
}
Detection Methods for CVE-2024-50379
Indicators of Compromise
- Unusual write activity to JSP files
- Unexpected restart of Tomcat service
- Creation of unfamiliar JSP files
Detection Strategies
Monitoring JSP write access logs and auditing changes to the file system can aid in detecting potential exploitation attempts. Additionally, using SentinelOne's behavioral AI engine to monitor for abnormal process execution can identify successful exploitation.
Monitoring Recommendations
Implement continuous monitoring of Tomcat server logs and track changes to critical files. Use file integrity monitoring tools to detect unauthorized modifications to JSP files.
How to Mitigate CVE-2024-50379
Immediate Actions Required
- Disable write access for the default servlet in Apache Tomcat
- Upgrade to fixed versions: 11.0.2, 10.1.34, or 9.0.98
- Implement tighter permissions on file systems
Patch Information
Refer to the official Apache Tomcat advisory for patching instructions: Apache Advisory
Workarounds
Disable the default servlet's write capabilities if not required, and strictly control access to the server's file system.
# Configuration example
<Context>
<!-- Disable writable directory listings -->
<Loader delegate="true" />
<Resources>
<PostResources className="org.apache.catalina.webresources.DirResourceSet"
base="/usr/local/tomcat/webapps/"
webAppMount="/WEB-INF/classes" />
</Resources>
</Context>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
