CVE-2021-24122:Apache Tomcat Information Disclosure Vulnerability (CVE-2021-24122)

splash
Back

Description Preview

A vulnerability in Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59, and 7.0.0 to 7.0.106 could allow an attacker to access JSP source code when resources are served from a network location using the NTFS file system. This vulnerability stems from unexpected behavior in the JRE API File.getCanonicalPath() method, which is caused by inconsistent behavior of the Windows API (FindFirstFileW) under certain circumstances.

Overview

CVE-2021-24122 is an information disclosure vulnerability affecting multiple versions of Apache Tomcat. The vulnerability occurs specifically when Tomcat is configured to serve resources from a network location using the NTFS file system. Under these conditions, attackers could potentially access JSP source code that should not be accessible. This vulnerability is classified as CWE-706 (Use of Incorrectly-Resolved Name or Reference).

The root cause lies in how Tomcat interacts with underlying APIs. The Java Runtime Environment (JRE) API File.getCanonicalPath() behaves unexpectedly due to inconsistencies in the Windows API (FindFirstFileW) in certain scenarios. This behavior can lead to path resolution issues that expose sensitive JSP source code to unauthorized users.

Remediation

To address this vulnerability, users should upgrade to the following patched versions:

  • Apache Tomcat 10.0.0 or later
  • Apache Tomcat 9.0.40 or later
  • Apache Tomcat 8.5.60 or later
  • Apache Tomcat 7.0.107 or later

If upgrading is not immediately possible, consider the following mitigations:

  1. Avoid serving resources from network locations using NTFS file systems
  2. Implement additional access controls to restrict access to JSP source files
  3. Configure web application firewalls or similar security controls to block potential exploit attempts

System administrators should review their Tomcat configurations to identify if they are using network-based NTFS resources and prioritize patching accordingly.

References

  1. Apache Tomcat Security Announcement: https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E
  2. OSS Security Mailing List: http://www.openwall.com/lists/oss-security/2021/01/14/1
  3. Debian Security Advisory: https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
  4. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20210212-0008/
  5. Oracle Critical Patch Update: https://www.oracle.com//security-alerts/cpujul2021.html
  6. Apache Tomcat Security Pages:
    • Tomcat 10: https://tomcat.apache.org/security-10.html
    • Tomcat 9: https://tomcat.apache.org/security-9.html
    • Tomcat 8: https://tomcat.apache.org/security-8.html
    • Tomcat 7: https://tomcat.apache.org/security-7.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Medium
    Public Administration
  4. Educational Services: Medium
    Educational Services
  5. Finance and Insurance: Medium
    Finance and Insurance
  6. Transportation & Warehousing: Medium
    Transportation & Warehousing
  7. Retail Trade: Medium
    Retail Trade
  8. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  9. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  10. Utilities: Low
    Utilities
  11. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  12. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  13. Accommodation & Food Services: Low
    Accommodation & Food Services
  14. Information: Low
    Information
  15. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  16. Mining: Low
    Mining
  17. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  18. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  19. Construction: Low
    Construction
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background