Cybersecurity blog header

CVE-2024-52316: Critical vulnerability in Apache Tomcat

- S.T.A².R.S Team

CVE-2024-52316 is a critical vulnerability affecting Apache Tomcat

Critical vulnerability CVE-2024-52316 affecting Apache Tomcat allows authentication bypass when using the Jakarta authentication API

A critical vulnerability has been identified in Apache Tomcat, widely used in enterprise environments to serve web applications. This vulnerability, registered as CVE-2024-52316, allows unauthenticated remote attackers to bypass the authentication process under certain specific configurations, potentially compromising the security of affected systems.

The vulnerability lies in the integration of Apache Tomcat with Jakarta Authentication (formerly known as JASPIC). If Tomcat is configured to use a custom ServerAuthContext component in Jakarta Authentication that may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, authentication may not fail properly, allowing the user to bypass the authentication process.

Main features

The main characteristics of this vulnerability are detailed below:

  • Identifier: CVE-2024-52316.
  • Publication Date: 11/15/2024.
  • Affected Software: Apache Tomcat.
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8 (Critical).
  • Impact: Authentication bypass under specific configurations.
  • Affected Versions:
    • Apache Tomcat 11.0.0-M1 to 11.0.0-M26.
    • Apache Tomcat 10.1.0-M1 to 10.1.30.
    • Apache Tomcat 9.0.0-M1 to 9.0.95.

Mitigation

The main solution for this vulnerability is to update Apache Tomcat to the fixed versions:

  • Apache Tomcat 11.0.0.
  • Apache Tomcat 10.1.31.
  • Apache Tomcat 9.0.96.

Additionally, it is recommended to review any custom implementations of ServerAuthContext to ensure they properly handle exceptions and explicitly set the correct HTTP status in case of authentication failures.

Vulnerability detection

To identify if a system is vulnerable, check the installed version of Apache Tomcat. If it falls within the affected versions, an update is required.

The following security tools include specific detections for CVE-2024-52316:

  • Qualys: The plugin for this vulnerability is available with ID 152405 on the Qualys platform.
  • Nessus: Detection is supported through the following plugins:
    • Plugin ID 211504.
    • Plugin ID 211503.
    • Plugin ID 211505.
    • Plugin ID 211506.

These tools can be used to scan systems and detect vulnerable Apache Tomcat implementations.

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.

References
  • Announcement on Apache mailing lists: https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
  • GitHub Advisory for CVE-2024-52316: https://github.com/advisories/GHSA-xcpr-7mr4-h4xq