Agenda

Background

CVE-2024-50379

CVE-2024-56337

Reflections

Questions

Background

URLs are case sensitive

URLs are very often mapped to file systems

Windows and MacOS file systems are (usually) case insensitive

Need to be able to differentiate between a request for a.Jsp and a.jsp

File.getCanonicalPath()

Note

Summaries of the much longer emails

Some emails have been skipped

Friday 18 October 2024

10:51 "I have found an RCE. How do I report it?" Also mentions HackerOne bounty.

13:19 "Here. Plain text."

14:28 "PoC and 30MB mp3"

Summary of report

Enable write in Default Servlet

Enable the CORS Filter

Windows only

PUT a.Jsp

DELETE a.Jsp

GET a.jsp

Repeat a lot until GET a.jsp returns the uploaded file

First thoughts

CORS?

Tomcat 8 is out of scope

Tomcat 11 onwards not affected?

Need full configuration details

The PoC isn't consistent with the video

It isn't clear what is going on here

Insecure configuration?

Monday 21 October 2024

03:38 "MacOS also affected"

08:17 "Clarification questions"

15:24 "Konstantin finds a TOCTOU issue in the canonical file name check"

Wednesday 23 October 2024

14:43 "Confirm RCE. Allocate CVE."

"How do we fix this?"

"..."

Friday 25 October 2024

"Konstantin suggests File.list()"

Monday 28 October 2024

05:30 "Additional information including a PoC in python"

"File.list() is too slow"

"..."

"Locking"

Tuesday 29 October 2024

Can't reproduce issue with Python PoC

But it does highlight cache issues

Use the fix for this to mask the CVE fix?

Wednesday 30 October 2024

Performance numbers for the locking solution

Monday 4 November 2024

16:07 "Please test this fix."

18:09 "It isn't fixed."

Saturday 9 November 2024

Tomcat 9.0.97 released

Tomcat 10.1.31 released

Sunday 10 November 2024

Tomcat 11.0.2 released

Fri 15 November 2024

15:07 "I messed up the locking fix."

Mon 18 November 2024

09:39 "Please re-test."

Tue 19 November 2024

07:22 "Fix confirmed."

Monday 9 December 2024

Tomcat 9.0.98 released

Tomcat 10.1.34 released

Tomcat 11.0.2 released

Tue 17 December 2024

12:26 "Announce CVE-2024-50379"

18:42 "CVE-2024-50379 is not fixed"

Wed 18 December 2024

07:28 "Huh? What changed?"

Jonathan Gallimore (TomEE) provides a PoC that does reproduce the issue

19:28 "Does disabling caching have an impact?"

Thursday 19 December 2024

05:29 "Disabling caching has no effect"

I am able to reproduce the issue locally

Jonathan Gallimore continues to help us test different scenarios

Java 17 onwards not affected

Thursday 19 December 2024

14:25 "Found it. Java has a cache for canonical file names"

Friday 20 December 2024

15:17 Announce CVE-2024-56338

Use Java system properties to disable the cache

Will try and enforce this in a future Tomcat version

Reflections

Good: The overall process

Bad: Ignoring instincts

Ugly: Not fixing it the first time