CVE-2024-56337 (Critical) detected in tomcat-embed-core-10.1.31.jar #6575

mend-bolt-for-github · 2024-12-21T12:12:27Z

CVE-2024-56337 - Critical Severity Vulnerability

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml

Path to vulnerable library: /hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jersey/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-apache/pom.xml

Dependency Hierarchy:

spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
  - ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

Publish Date: 2024-12-20

URL: CVE-2024-56337

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-56337 (Critical) detected in tomcat-embed-core-10.1.31.jar #6575

CVE-2024-56337 (Critical) detected in tomcat-embed-core-10.1.31.jar #6575

mend-bolt-for-github bot commented Dec 21, 2024 •

edited

Loading

CVE-2024-56337 (Critical) detected in tomcat-embed-core-10.1.31.jar #6575

CVE-2024-56337 (Critical) detected in tomcat-embed-core-10.1.31.jar #6575

Comments

mend-bolt-for-github bot commented Dec 21, 2024 • edited Loading

CVE-2024-56337 - Critical Severity Vulnerability

mend-bolt-for-github bot commented Dec 21, 2024 •

edited

Loading