CVE-2024-50379 – A Time-of-check Time-of-use (TOCTOU) race condi... (How to Fix)

Q: What is the severity of CVE-2024-50379?

CVE-2024-50379 has a CVSS score of 9.8 (CRITICAL). A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat's JSP compilation allows attackers to achieve Remote Code Execution (RCE) on case-insensitive file systems when the default servlet is configured for write operations. This affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97, plus some EOL versions. The vulnerability requires a non-default configuration where the default servlet has write permissions.

📋 TL;DR

A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat's JSP compilation allows attackers to achieve Remote Code Execution (RCE) on case-insensitive file systems when the default servlet is configured for write operations. This affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97, plus some EOL versions. The vulnerability requires a non-default configuration where the default servlet has write permissions.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, plus EOL versions 8.5.0 through 8.5.100

Operating Systems: Windows, macOS, Linux with case-insensitive file systems

Default Config Vulnerable: ✅ No

Notes: Requires case-insensitive file system AND default servlet configured for write operations (non-default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution as the Tomcat service account, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Attackers upload malicious JSP files to execute arbitrary code, compromising the Tomcat server and potentially accessing sensitive application data.

🟢

If Mitigated

Limited impact if default servlet write permissions are disabled and proper file system permissions are enforced.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires precise timing and specific configuration conditions, but successful attacks lead to RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.2, 10.1.34, or 9.0.98

Vendor Advisory: https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

Restart Required: Yes

Instructions:

1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup configuration and applications. 4. Replace Tomcat installation with patched version. 5. Restore configuration and applications. 6. Start Tomcat service.

🔧 Temporary Workarounds

Disable Default Servlet Write Permissions

all

Remove write permissions from the default servlet in web.xml configuration

Edit $CATALINA_HOME/conf/web.xml and ensure <servlet><servlet-name>default</servlet-name> does not have write permissions enabled

Use Case-Sensitive File System

linux

Deploy Tomcat on case-sensitive file systems where possible

🧯 If You Can't Patch

Disable default servlet write permissions immediately
Implement strict network access controls to limit Tomcat exposure

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and verify if default servlet has write permissions enabled in web.xml

Check Version:

java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Confirm Tomcat version is 11.0.2, 10.1.34, or 9.0.98 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual JSP compilation errors
Multiple rapid file upload attempts to default servlet
Suspicious file creation in webapps directory

Network Indicators:

HTTP PUT requests to Tomcat default servlet endpoints
Unusual outbound connections from Tomcat process

SIEM Query:

source="tomcat" AND (event="JSP compilation error" OR event="file upload" OR method="PUT")

📊 Metadata

CVE ID: CVE-2024-50379

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: December 17, 2024

Last Updated: November 3, 2025

🔗 References

https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/12/17/4 Mailing List
http://www.openwall.com/lists/oss-security/2024/12/18/2 Mailing List
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20250103-0003/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50379, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Bootstrap Os by Netapp

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Default Servlet Write Permissions

Use Case-Sensitive File System

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities