Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-50379
Impact
All supported versions of Data Insight are integrated with vulnerable versions of Apache Tomcat.
All Data Insight deployments are installed on Case-Insenstive File Systems (Windows OS).
However, the Default Servlet in Tomcat is not configured to allow write operations, which prevents the exploitation of the vulnerability.
Mitigation
There are no mitigation measures required for currently released versions of Data Insight.
The next release of Data Insight will include an updated Apache Tomcat that has this vulnerability mitigated.
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.