Apache Tomcat の脆弱性 CVE-2024-50379 CVE-2024-56337 について
Apache Tomcat の脆弱性 CVE-2024-50379 CVE-2024-56337 が発見されました。WebRelease は DefaultServlet を readonly の状態でしか使用していませんこのでこの脆弱性の影響を受けることはありません。対応は必要ありません。
-
[SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet
If the default servlet is write enabled (readonly initialisation
parameter set to the non-default value of false) for a case insensitive
file system, concurrent read and upload under load of the same file can
bypass Tomcat's case sensitivity checks and cause an uploaded file to be
treated as a JSP leading to remote code execution. -
[SECURITY] CVE-2024-56337 Apache Tomcat - RCE via write-enabled default servlet - CVE-2024-50379 mitigation was incomplete
Users running Tomcat on a case insensitive file system with the default
servlet write enabled (readonly initialisation parameter set to the
non-default value of false) may need additional configuration to fully
mitigate CVE-2024-50379 depending on which version of Java they are
using with Tomcat.CVE-2024-56337 に関しては 2024/12/25 に追記させていただきました。