OL CVE Issue Summary :

Resolved a critical path-equivalence vulnerability in the DefaultServlet that could allow remote code execution or unauthorized file modification via partial PUT and session persistence exploitation, preventing attackers from writing malicious content to server storage. Improvements include enhancing the lifecycle of temporary files used by partial PUT and removing intermediate temporary file retention to mitigate the underlying unsafe file handling that enabled the exploit.

OL CVE Issue Summary :

Fixed an issue in Tomcat’s Jakarta Authentication (JASPIC) integration where a custom ServerAuthContext could throw an exception during authentication without an appropriate HTTP failure status, potentially allowing unauthorized access. Tomcat now defensively handles such uncaught exceptions by treating them as authentication failures and ensuring a proper error response is sent (500, Internal Server Error), preventing request processing from continuing.

OL CVE Issue Summary:

Fixed a race condition in the DefaultServlet, where concurrent GET and PUT/DELETE requests for the same resource could result in inconsistent file metadata. Under specific misconfigurations, this inconsistency could allow a resource to be accessed during upload or deletion. The fix ensures resource metadata remains consistent across concurrent read and write operations.

OL CVE Issue Summary:

Improper Handling of Exceptional Conditions and Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to miscounting active HTTP/2 streams, which in turn led to the use of an incorrect infinite timeout, allowing connections to remain open that should have been closed.

OL CVE Issue Summary:

Denial-of-Service via TLS handshake: This fix supports TLS 1.3 client-initiated re-keying and imposes internal handshake queue limits, closing a path where a malicious TLS handshake could trigger an uncontrolled memory allocation and lead to an OutOfMemoryError.

OL CVE Issue Summary:

The fix addresses a Session Fixation vulnerability in the RewriteValve. It ensures that the session ID is properly appended to redirect URLs, maintaining session integrity. Session information is also correctly cleared when handling cross-context requests within the RewriteValve, further strengthening session management logic.

OL CVE Issue Summary:

The fix addresses Denial of Service vulnerability in the HTTP/2 implementation. The fix forces to apply the MAX_CONCURRENT_STREAMS limit to the current settings immediately, mitigating the DoS risk by ensuring the server enforces the limit regardless of client acknowledgement.

OL CVE Issue Summary:

The fix addresses a Relative Path Traversal vulnerability in the RewriteValve. It ensures the rewritten URL is decoded before it is normalized, preventing the possibility of bypassing URL security constraints and accessing/manipulating restricted files. 
 

OL CVE Issue Summary:

The patch addresses this CVE by making APR/Native connector thread safe.

OL CVE Issue Summary :

This release addresses CVE-2024-56337 security vulnerability that pertains to an incomplete mitigation of the previously disclosed vulnerability CVE-2024 50379. The vulnerability arises from a race condition that could lead to Remote Code Execution (RCE) under specific configurations. 
Important: CVE-2024-50379 mitigation 
The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case-insensitive file system with the default servlet write-enabled (the readonly initialization parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379, depending on which version of Java you are using with Tomcat: 
• Running on Java 8 or Java 11: The system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true). 
• Running on Java 17: The system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false). 
• Running on Java 21 and later: No further configuration is required (the system property and the problematic cache have been removed).