CVE-2024-56337 – A Time-of-check Time-of-use (TOCTOU) race condi... (How to Fix)

Q: What is the severity of CVE-2024-56337?

CVE-2024-56337 has a CVSS score of 9.8 (CRITICAL). A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat allows attackers to bypass security checks and write malicious files to case-insensitive file systems. This affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, and potentially older EOL versions. The vulnerability specifically impacts systems with the default servlet write enabled on case-insensitive file systems.

📋 TL;DR

A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat allows attackers to bypass security checks and write malicious files to case-insensitive file systems. This affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, and potentially older EOL versions. The vulnerability specifically impacts systems with the default servlet write enabled on case-insensitive file systems.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, 9.0.0.M1 through 9.0.97, 8.5.0 through 8.5.100 (EOL)

Operating Systems: Windows (case-insensitive NTFS), macOS (case-insensitive HFS+), Linux with case-insensitive mounts

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when default servlet write is enabled (readonly=false) AND running on case-insensitive file system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file upload allowing web shell installation and subsequent lateral movement.

🟢

If Mitigated

No impact if proper Java system properties are configured or patched versions are used.

🌐 Internet-Facing: HIGH - Web servers are directly accessible and vulnerable configurations are common.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if vulnerable configuration exists.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires race condition timing and specific configuration. CVSS 9.8 indicates critical severity with network access and no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tomcat 11.0.3, 10.1.35, 9.0.99

Vendor Advisory: https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp

Restart Required: Yes

Instructions:

1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.

🔧 Temporary Workarounds

Java System Property Configuration

all

Set sun.io.useCanonCaches to false based on Java version

For Java 8/11: -Dsun.io.useCanonCaches=false
For Java 17: Ensure -Dsun.io.useCanonCaches=false if set
For Java 21+: No action needed

Disable Default Servlet Write

all

Set readonly parameter to true in default servlet configuration

In web.xml: <init-param><param-name>readonly</param-name><param-value>true</param-value></init-param>

🧯 If You Can't Patch

Configure Java system property sun.io.useCanonCaches=false in Tomcat startup scripts
Disable default servlet write capability by setting readonly=true in web.xml

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version with catalina.sh version or version.bat, verify default servlet readonly parameter is false, confirm case-insensitive file system

Check Version:

catalina.sh version (Linux/macOS) or version.bat (Windows)

Verify Fix Applied:

Verify Tomcat version is 11.0.3+, 10.1.35+, or 9.0.99+, check Java system property sun.io.useCanonCaches is false if applicable

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to web application directories
Multiple rapid requests to default servlet endpoints
Error logs mentioning canonicalization cache

Network Indicators:

Unusual PUT/POST requests to default servlet paths
Rapid sequence of file upload requests

SIEM Query:

source="tomcat" AND (http_method="PUT" OR http_method="POST") AND uri="/default/*" AND count > 10 within 1s

📊 Metadata

CVE ID: CVE-2024-56337

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: December 20, 2024

Last Updated: November 3, 2025

🔗 References

https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp Mailing List,Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2024-50379 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20250103-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56337, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Bootstrap Os by Netapp

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Java System Property Configuration

Disable Default Servlet Write

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities