CVE-2024-56337 is a critical vulnerability classified as CWE-367, a Time-of-check Time-of-use (TOCTOU) race condition in Apache Tomcat, a widely used Java-based web server and servlet container. The flaw exists in Tomcat versions from 8.5.0 through 11.0.1 (including milestone and maintenance releases) and is related to how the default servlet handles file writes on case-insensitive file systems (e.g., Windows NTFS or macOS APFS). Specifically, when the default servlet's write capability is enabled (the readonly initialization parameter set to false, which is non-default), a race condition can occur between the time the system checks a file's state and the time it is used, allowing attackers to exploit this window to perform unauthorized file operations. The root cause is linked to the Java system property sun.io.useCanonCaches, which controls caching of canonical file paths. On Java 8 and 11, this property defaults to true, causing stale cache data and enabling the race condition. On Java 17, it defaults to false, but if explicitly set to true, the risk remains. Java 21 and later have removed this caching mechanism, eliminating the issue. The vulnerability was not fully mitigated by the previous CVE-2024-50379 fix, necessitating additional configuration. Tomcat versions 11.0.3, 10.1.35, and 9.0.99 introduce checks to ensure sun.io.useCanonCaches is set correctly before allowing the default servlet to be writable on case-insensitive file systems, and they set the property to false by default where possible. Exploitation requires no authentication or user interaction and can lead to full compromise of confidentiality, integrity, and availability of affected systems. No known exploits are currently reported in the wild, but the high CVSS score (9.8) indicates a critical risk.

For European organizations, the impact of CVE-2024-56337 can be severe due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure services. Exploitation could allow attackers to manipulate files, inject malicious code, or disrupt services, leading to data breaches, service outages, and loss of trust. Organizations running Tomcat on Windows or macOS servers (both common in Europe) with the default servlet write enabled and vulnerable Java versions are particularly at risk. This could affect sectors such as finance, healthcare, public administration, and telecommunications, where Tomcat is often deployed. The vulnerability's ability to be exploited remotely without authentication increases the threat level, potentially enabling attackers to pivot within networks or establish persistent footholds. Given the criticality and ease of exploitation, failure to patch or properly configure affected systems could result in significant operational and reputational damage.

European organizations should immediately assess their Apache Tomcat deployments to identify affected versions (8.5.0 through 11.0.1 and certain EOL versions). They should upgrade to Tomcat 11.0.3, 10.1.35, or 9.0.99 or later, which include built-in mitigations. If upgrading is not immediately feasible, organizations must ensure the default servlet write feature is disabled (readonly initialization parameter set to true) on case-insensitive file systems. Additionally, for systems running Java 8 or Java 11, explicitly set the system property sun.io.useCanonCaches to false to prevent stale canonical path caching. For Java 17, verify that sun.io.useCanonCaches is either unset or set to false. For Java 21 and newer, no action is required regarding this property. Organizations should also audit their file system types and avoid enabling write access on case-insensitive file systems unless necessary. Implementing strict access controls and monitoring for unusual file system activity related to Tomcat deployments can help detect exploitation attempts. Finally, organizations should stay informed of any emerging exploits and apply security patches promptly.