<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Agenda</h3> <p>Background</p> <p>CVE-2024-50379<p> <p>CVE-2024-56337</p> <p>Reflections</p> <p>Questions</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Background</h3> <p>URLs are case sensitive</p> <p>URLs are very often mapped to file systems</p> <p>Windows and MacOS file systems are (usually) case insensitive</p> <p>Need to be able to differentiate between a request for a.Jsp and a.jsp</p> <p>File.getCanonicalPath()</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Note</h3> <p>Summaries of the much longer emails</p> <p>Some emails have been skipped</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Friday 18 October 2024</h3> <p align="left">10:51 "I have found an RCE. How do I report it?" Also mentions HackerOne bounty.</p> <p align="right">13:19 "Here. Plain text."</p> <p align="left">14:28 "PoC and 30MB mp3"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Summary of report</h3> <p>Enable write in Default Servlet</p> <p>Enable the CORS Filter</p> <p>Windows only</p> <p>PUT a.Jsp</p> <p>DELETE a.Jsp</p> <p>GET a.jsp</p> <p>Repeat a lot until GET a.jsp returns the uploaded file</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>First thoughts</h3> <p>CORS?</p> <p>Tomcat 8 is out of scope</p> <p>Tomcat 11 onwards not affected?</p> <p>Need full configuration details</p> <p>The PoC isn't consistent with the video</p> <p>It isn't clear what is going on here</p> <p>Insecure configuration?</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Monday 21 October 2024</h3> <p align="left">03:38 "MacOS also affected"</p> <p align="right">08:17 "Clarification questions"</p> <p align="right">15:24 "Konstantin finds a TOCTOU issue in the canonical file name check"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Wednesday 23 October 2024</h3> <p align="right">14:43 "Confirm RCE. Allocate CVE."</p> <p align="right">"How do we fix this?"</p> <p align="right">"..."</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Friday 25 October 2024</h3> <p align="right">"Konstantin suggests File.list()"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Monday 28 October 2024</h3> <p align="left">05:30 "Additional information including a PoC in python"</p> <p align="right">"File.list() is too slow"</p> <p align="right">"..."</p> <p align="right">"Locking"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Tuesday 29 October 2024</h3> <p align="right">Can't reproduce issue with Python PoC</p> <p align="right">But it does highlight cache issues</p> <p align="right">Use the fix for this to mask the CVE fix?</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Wednesday 30 October 2024</h3> <p align="right">Performance numbers for the locking solution</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Monday 4 November 2024</h3> <p align="right">16:07 "Please test this fix."</p> <p align="left">18:09 "It isn't fixed."</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Saturday 9 November 2024</h3> <p>Tomcat 9.0.97 released</p> <p>Tomcat 10.1.31 released</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Sunday 10 November 2024</h3> <p>Tomcat 11.0.2 released</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Fri 15 November 2024</h3> <p align="right">15:07 "I messed up the locking fix."</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Mon 18 November 2024</h3> <p align="right">09:39 "Please re-test."</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Tue 19 November 2024</h3> <p align="left">07:22 "Fix confirmed."</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Monday 9 December 2024</h3> <p>Tomcat 9.0.98 released</p> <p>Tomcat 10.1.34 released</p> <p>Tomcat 11.0.2 released</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Tue 17 December 2024</h3> <p align="right">12:26 "Announce CVE-2024-50379"</p> <p align="left">18:42 "CVE-2024-50379 is not fixed"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Wed 18 December 2024</h3> <p align="right">07:28 "Huh? What changed?"</p> <p>Jonathan Gallimore (TomEE) provides a PoC that does reproduce the issue</p> <p align="right">19:28 "Does disabling caching have an impact?"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Thursday 19 December 2024</h3> <p align="left">05:29 "Disabling caching has no effect"</p> <p>I am able to reproduce the issue locally</p> <p>Jonathan Gallimore continues to help us test different scenarios</p> <p>Java 17 onwards not affected</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Thursday 19 December 2024</h3> <p align="left">14:25 "Found it. Java has a cache for canonical file names"</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Friday 20 December 2024</h3> <p align="right">15:17 Announce CVE-2024-56338</p> <p align="right">Use Java system properties to disable the cache</p> <p align="right">Will try and enforce this in a future Tomcat version</p> </section> <section data-background-image="../images/tomcat.svg" data-background-size="contain" data-background-opacity="0.15"> <h3>Reflections</h3> <p>Good: The overall process</p> <p>Bad: Ignoring instincts</p> <p>Ugly: Not fixing it the first time</p> </section>