The vulnerability exploits a path equivalence issue involving internal dots in file names, which can be leveraged when specific server configurations are in place.
Proof-of-concept code demonstrating the exploitation techniques has been released, highlighting the urgent need for organizations to update their Apache Tomcat installations.
The newly discovered vulnerability presents attackers with several exploitation pathways, each requiring different preconditions to be met.
For information disclosure and malicious content injection attacks, the vulnerability can be exploited when writes are enabled for the default servlet, partial PUT support is active, and the target environment has overlapping upload directories for public and sensitive content.
Attackers must possess knowledge of sensitive file names being uploaded and ensure these files are transferred via partial PUT requests.
Under these circumstances, malicious users can view security-sensitive files and inject arbitrary content into existing uploads, potentially compromising data integrity and confidentiality.
The remote code execution attack vector presents an even more severe threat to affected systems. This exploitation path requires writes to be enabled for the default servlet and partial PUT support to remain active, similar to the information disclosure variant.
However, the critical difference lies in the additional requirements of file-based session persistence using Tomcat’s default storage location and the presence of libraries vulnerable to deserialization attacks.
When these conditions align, attackers can achieve complete system compromise through remote code execution, potentially gaining full control over the affected server infrastructure.
The vulnerability affects an extensive range of Apache Tomcat versions currently deployed in production environments worldwide.
The impact spans three major version branches, affecting Apache Tomcat 11.0.0-M1 through 11.0.2, version 10.1.0-M1 through 10.1.34, and the widely-deployed 9.0.0.M1 through 9.0.98 series.
This broad version coverage suggests that numerous organizations may be running vulnerable instances, particularly given the popularity of Apache Tomcat as a web application server in enterprise environments.
The default configuration of Apache Tomcat provides some inherent protection, as write capabilities for the default servlet are disabled by default.
However, many production deployments modify these default settings to enable specific functionality, potentially exposing systems to exploitation.
The combination of enabled partial PUT support, which remains active by default, with custom configurations enabling write operations creates the necessary conditions for successful attacks.
Apache Tomcat maintainers have responded swiftly to address this critical vulnerability by releasing patched versions across all affected branches.
Users are strongly recommended to upgrade immediately to version 11.0.3, 10.1.35, or 9.0.99, depending on their current deployment.
These updated versions contain comprehensive fixes that eliminate the path equivalence vulnerability and prevent the various attack scenarios described in the security advisory.
Organizations should prioritize this update given the potential for remote code execution and the availability of proof-of-concept exploitation code.
System administrators should also review their current Tomcat configurations to ensure that unnecessary write permissions are disabled and that session persistence mechanisms are properly secured until patching can be completed.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Critical Apache Tomcat Vulnerability Enables Remote Code Execution – PoC Released appeared first on Cyber Security News.
Looking to expand your home gym on the cheap? For this week only, one of…
The Dungeon Crawler Carl books are having a moment right now. Matt Dinniman's popular LitRPG…
Air Bud is dead. Long live Air Bud! The first footage from Air Bud Returns…
Bluetti is well known for its high quality yet affordable power stations and solar generators.…
INDIANAPOLIS, Ind. (WOWO) — The Indianapolis Metropolitan Police Department made multiple arrests and seized an…
EVANSVILLE, Ind. (WOWO) — The Evansville City Council on Monday passed a resolution by a…
This website uses cookies.