CVE-2024-50379 is a critical security vulnerability classified under CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) affecting Apache Tomcat versions 8.5.0 through 11.0.1. The flaw occurs during the compilation of JavaServer Pages (JSP) on case-insensitive file systems when the default servlet is configured to allow write operations, which is not the default setting. The TOCTOU race condition arises because the system checks file properties and then uses the file in a separate step, allowing an attacker to manipulate the file state between these operations. This can be exploited to achieve remote code execution (RCE) without requiring authentication or user interaction, making it highly dangerous. The vulnerability affects multiple major Tomcat branches, including 8.5.x, 9.0.x, 10.1.x, and 11.0.x, with older versions also impacted though some are end-of-life. The Apache Software Foundation has addressed the issue in versions 11.0.2, 10.1.34, and 9.0.98. The CVSS v3.1 score of 9.8 reflects the vulnerability's ease of exploitation, lack of required privileges, and the potential for complete compromise of confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the critical nature and public disclosure necessitate immediate attention. The vulnerability is particularly relevant for environments running Tomcat on case-insensitive file systems such as Windows or certain macOS configurations, and where the default servlet is configured to allow write access, which is a non-default but possible configuration in some deployments.

The impact of CVE-2024-50379 on European organizations is severe due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure. Successful exploitation results in remote code execution, allowing attackers to execute arbitrary code with the privileges of the Tomcat process. This can lead to full system compromise, data theft, service disruption, and lateral movement within networks. Organizations using case-insensitive file systems (commonly Windows-based servers) with write-enabled default servlets are at highest risk. The vulnerability threatens confidentiality, integrity, and availability of affected systems. Given the criticality and ease of exploitation, attackers could deploy ransomware, exfiltrate sensitive data, or establish persistent footholds. European sectors such as finance, healthcare, public administration, and manufacturing that rely on Tomcat-based applications could face operational disruptions and regulatory penalties under GDPR if breaches occur. The lack of known exploits in the wild provides a window for proactive mitigation, but the risk of imminent exploitation remains high.

1. Immediately upgrade Apache Tomcat to the fixed versions: 11.0.2, 10.1.34, or 9.0.98 depending on your deployment branch. 2. Audit and disable write permissions on the default servlet unless explicitly required, as this is a non-default configuration that enables the vulnerability. 3. For environments running on case-insensitive file systems (e.g., Windows), prioritize patching and configuration review due to increased risk. 4. Implement strict file system permissions to limit the ability of attackers to manipulate JSP files or servlet resources. 5. Monitor web server logs and application behavior for unusual file access patterns or JSP compilation errors that may indicate exploitation attempts. 6. Employ network segmentation and application-layer firewalls to restrict external access to Tomcat management interfaces and JSP compilation endpoints. 7. Regularly review and update incident response plans to include scenarios involving Tomcat RCE vulnerabilities. 8. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with signatures targeting TOCTOU exploitation techniques as an additional layer of defense.