CVE
CVE-2024-56337
| CVE ID |
CVE-2024-56337
|
|---|---|
| CVSS Score |
9.8
|
| Operating System | |
| Affected Versions | |
| Patched Versions |
8.5.107-OL
|
| Patch Date |
|
| Last Updated Date | |
| Vector String |
Additional Information
OL CVE Summary :
## Bug Fixes
- **CVE-2024-56337:** This release addresses CVE-2024-56337 security vulnerability, which pertains to an incomplete mitigation of the previously disclosed
vulnerability CVE-2024-50379. The vulnerability arises from a race condition that could lead to Remote Code Execution (RCE) under specific configurations.
#### Important Information Regarding CVE-2024-50379 Mitigation
- The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case-insensitive file system with the default servlet write-enabled
(the `readonly` initialization parameter set to the non-default value of `false`) may need additional configuration to fully mitigate
CVE-2024-50379, depending on which version of Java they are using with Tomcat:
* **Running on Java 8 or Java 11:** The system property `sun.io.useCanonCaches` must be explicitly set to `false` (it defaults to `true`).
* **Running on Java 17:** The system property `sun.io.useCanonCaches`, if set, must be set to `false` (it defaults to `false`).
* **Running on Java 21 onwards:** No further configuration is required (the system property and the problematic cache have been removed).