CVE-2024-50379 is a critical vulnerability identified in Apache Tomcat, a widely used Java servlet container. The flaw is a Time-of-check Time-of-use (TOCTOU) race condition occurring during the compilation of JavaServer Pages (JSP). Specifically, when the default servlet is configured to allow write operations—a non-default and less common configuration—an attacker can exploit the timing window between the check of a file and its use on case-insensitive file systems. This race condition enables remote code execution (RCE) without requiring authentication or user interaction. The vulnerability affects Apache Tomcat versions from 8.5.0 through 11.0.1, including multiple milestone and release versions. The issue is particularly dangerous because it allows attackers to execute arbitrary code on the server, potentially leading to full system compromise. The vulnerability has been assigned a CVSS v3.1 score of 9.8, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The Apache Software Foundation has released fixed versions 11.0.2, 10.1.34, and 9.0.98 to address the issue. Although no active exploits have been reported, the vulnerability's characteristics make it a prime target for attackers once weaponized. The root cause lies in the TOCTOU race condition during JSP compilation on case-insensitive file systems, which are common in Windows environments. This makes systems running Tomcat on Windows or similarly case-insensitive platforms particularly vulnerable if the default servlet is misconfigured to allow writes. The vulnerability underscores the importance of secure servlet configuration and timely patching in Java web application environments.

For European organizations, the impact of CVE-2024-50379 is significant due to the widespread use of Apache Tomcat in enterprise web applications, government services, and critical infrastructure. Successful exploitation can lead to remote code execution, allowing attackers to gain full control over affected servers. This compromises confidentiality by exposing sensitive data, integrity by enabling unauthorized changes, and availability by potentially disrupting services. Organizations running Tomcat on Windows or other case-insensitive file systems with write-enabled default servlets are at highest risk. The vulnerability could be leveraged to deploy ransomware, steal data, or pivot within networks, severely impacting business continuity and regulatory compliance, especially under GDPR. Given the critical severity and ease of exploitation, the threat could lead to large-scale breaches if not promptly mitigated. The lack of required authentication or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation in unpatched environments.

1. Immediately upgrade Apache Tomcat to the fixed versions: 11.0.2, 10.1.34, or 9.0.98. 2. Review and disable write permissions on the default servlet unless absolutely necessary, as this non-default configuration enables the vulnerability. 3. For environments that must allow write access, implement strict access controls and monitor for suspicious file operations during JSP compilation. 4. Conduct thorough audits of Tomcat configurations across all servers, especially those running on Windows or other case-insensitive file systems. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting suspicious JSP compilation or file system race conditions. 6. Monitor logs for unusual activity related to JSP compilation or file writes to detect potential exploitation attempts. 7. Isolate critical Tomcat servers within segmented network zones to limit lateral movement if compromised. 8. Educate system administrators about the risks of enabling write access on default servlets and the importance of timely patching. 9. Implement robust backup and recovery procedures to mitigate impact in case of successful exploitation. 10. Stay informed on any emerging exploit reports or additional patches from Apache.