Time-of-check Time-of-use (TOCTOU) is a race condition in computer systems that occurs when a system attempts to use a resource while that resource is being modified, potentially leading to unintended consequences. This vulnerability was discovered in Apache Tomcat, the popular web server software.

Vulnerability Details

The vulnerability exists in Apache Tomcat during JSP (Java Server Pages) compilation, specifically on case-insensitive file systems like Microsoft's NTFS when the default servlet is enabled for write access (non-default configuration). Affected versions of Apache Tomcat are from 11..-M1 through 11..1, from 10.1.-M1 through 10.1.33, and from 9...M1 through 9..97. This TOCTOU race condition allows an attacker to perform a Remote Code Execution (RCE) on the vulnerable system.

Original References

1. Apache Tomcat Security Advisory
2. Apache Tomcat Changelog
3. NIST National Vulnerability Database (CVE-2024-50379)

The following code snippet demonstrates the vulnerable behavior in Apache Tomcat

// File: org.apache.jasper.compiler.JspRuntimeContext.java
...
public void checkCompile(File file) {
    if (this.compileCheckInProgress) {
        return;
    }
    // Time-of-check
    if (file.lastModified() > getLastCompiled()) {
        this.compileCheckInProgress = true;
        // Time-of-use
        if (file.lastModified() > getLastCompiled()) {
            compile(file);
        }
        this.compileCheckInProgress = false;
    }
}

In the code above, there is a time window between the two checks on file.lastModified() > getLastCompiled() where an attacker can exploit the race condition and inject malicious code.

An attacker can exploit this vulnerability by

1. Identifying a vulnerable version of Apache Tomcat running with the default servlet enabled for write access.

Sending a specially crafted request containing malicious code to the targeted system.

3. Exploiting the TOCTOU race condition by altering the JSP file between the time-of-check and time-of-use checks.

Mitigation

Users of Apache Tomcat are recommended to upgrade to the following versions that contain a fix for the vulnerability:

For Tomcat 9.x users: upgrade to version 9..08.

In addition, users should ensure that the default servlet is not enabled for write access in their configuration.

Conclusion

In summary, CVE-2024-50379 is a Time-of-check Time-of-use race condition vulnerability discovered in Apache Tomcat during JSP compilation, permitting Remote Code Execution on case-insensitive file systems when the default servlet is enabled for write access. To prevent exploitation, users should promptly upgrade to a fixed version of the software and ensure that their configuration is secure.

Timeline

Published on: 12/17/2024 13:15:18 UTC
Last modified on: 12/17/2024 18:15:24 UTC