CVE-2024-22029
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Tomcat packaging where insecure file permissions during installation allow local users to win a race condition and gain root privileges. It affects systems where Tomcat is installed via vulnerable packaging methods, primarily impacting Linux distributions with specific package management implementations.
💻 Affected Systems
- Apache Tomcat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user with standard privileges escalates to root, gaining administrative control over the Tomcat server and underlying system.
If Mitigated
Attack fails due to proper file permission controls, SELinux/AppArmor restrictions, or lack of local user access.
🎯 Exploit Status
Requires local access and winning a race condition during package installation/upgrade. Timing window is limited to installation process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check distribution-specific updates (e.g., SUSE security updates)
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22029
Restart Required: No
Instructions:
1. Check your distribution's security advisories. 2. Update Tomcat package using your package manager (e.g., 'zypper update tomcat' for SUSE). 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Manual installation verification
linuxManually verify file permissions after Tomcat installation to ensure no insecure permissions exist
find /usr/share/tomcat -type f -perm /o+w
find /etc/tomcat -type f -perm /o+w
Restrict local user access
allLimit local shell access to Tomcat servers to trusted administrators only
🧯 If You Can't Patch
- Monitor for unauthorized local user activity and file permission changes
- Implement strict access controls to prevent untrusted local users from accessing Tomcat servers
🔍 How to Verify
Check if Vulnerable:
Check if Tomcat was installed/updated during a period when vulnerable packaging was used. Review package version and installation logs.Check Version:
rpm -q tomcat (RPM-based) or dpkg -l tomcat (Debian-based) or check your distribution's package managerVerify Fix Applied:
Verify Tomcat package version matches patched version from vendor advisory and check file permissions are secure.📡 Detection & Monitoring
Log Indicators:
- Unexpected package installation/upgrade events
- File permission changes in Tomcat directories
- Unusual local user activity during maintenance windows
Network Indicators:
- None - this is a local attack
SIEM Query:
source="package_manager" AND (event="install" OR event="upgrade") AND package="tomcat*"