CVE-2024-21733 - Apache Tomcat Leaks Sensitive Info in Error Messages – How It Happens, How to Exploit, & How to Fix

---

In early 2024, the Apache Software Foundation disclosed a security risk affecting millions of Tomcat servers worldwide. Known as CVE-2024-21733, this vulnerability could cause Tomcat to _leak sensitive server details_ right in its error messages. If you use Tomcat as your Java app server, read on – you may be exposed.

What is CVE-2024-21733?

CVE-2024-21733 is a vulnerability where Tomcat’s error messages may include sensitive information — specifically, details that can help attackers understand your server's internal workings. This occurs in certain versions of Tomcat when handling HTTP requests that trigger errors.

Tomcat 9..-M11 through 9..43

Fixed In:

9..44 and later

If you’re using any version in those vulnerable ranges, your Tomcat server could be leaking details in error messages you’d rather keep hidden.

Why Does This Matter?

During normal operation (or especially when something goes wrong), Tomcat may display an error message to the browser. Sometimes these messages contain internal paths, configuration details, or even stack trace fragments.

Spot potential security holes

In some cases, a simple 404 or 500 error could tell an attacker _way_ too much about your system.

The Problem Explained

The bug happens when Tomcat generates an error message after certain malformed or unexpected input. If a user (or attacker) crafts an HTTP request that triggers a server error, the response might include internal information, like:

Debug output

This is information you don’t want just anyone to see.

If you review a stack trace in Tomcat (from a vulnerable version), you might see something like

<html>
<head><title>Apache Tomcat/9..35 - Error report</title></head>
<body>
<h1>HTTP Status 500 – Internal Server Error</h1>
<pre>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
...
Caused by: java.lang.NullPointerException
	at com.example.MyApp.doSomething(MyApp.java:123)
</pre>
</body>
</html>

Notice the absolute file paths and method details! This gives away your structure — a goldmine for hackers.

Examine the error messages returned. Look for

- File paths (/usr/local/tomcat/webapps/)

Full stack traces

4. Use this intel to craft targeted attacks, find weak spots, or even mount further attacks like path traversal or LFI (Local File Inclusion).

A classic way to test for this

curl http://<your-tomcat-server>/nonexistent.jsp

If you see a detailed error page with internal details, your server is likely vulnerable.

Or, within a browser, visit a non-existent resource

http://example.com/DOES-NOT-EXIST

If Tomcat’s detailed error report appears, you’re exposed.

Is This a Code Bug or Configuration Issue?

While Tomcat’s web.xml or app configuration could suppress error details, this particular CVE is a Tomcat code bug — fixed by the Tomcat developers themselves. Configuration can help, but the *real fix* is to update Tomcat!

For Tomcat 9..x - go to 9..44 or higher

Download official versions:
- Tomcat 8.5 Downloads
- Tomcat 9. Downloads

`xml

- Customize error pages: Use web.xml to map errors to blank or user-friendly pages (no stack traces!)
  

xml

404
/errors/404.html

500
/errors/500.html

`
- Proxy Tomcat behind nginx or Apache with generic error handling.

But these are *defenses in depth* — not full fixes for this CVE.

---

## References and Further Reading

- Apache Security Advisory for CVE-2024-21733
- Official Tomcat Changelogs
- CVE Details for CVE-2024-21733

---

## Final Thoughts

Sensitive information leaks are a favorite target for attackers, since they help automate hacking and amplify damage. Don’t let your Tomcat server hand out blueprints to your castle.

Check your version, test for error details, and UPGRADE immediately.

Stay safe! 🚀

Timeline

Published on: 01/19/2024 11:15:08 UTC
Last modified on: 02/01/2024 17:15:10 UTC