Tomcat Vulnerabilities CVE-2024-50379 and CVE-2024-56337 in Liferay DXP
Written By
Emma Carr-Gardner
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How to articles!
While we make every effort to ensure this Knowledge Base is accurate,
itmay not always reflect the most recent updates or official
guidelines.We appreciate your understanding and encourage you to reach
out with anyfeedback or concerns.
Legacy Article
You are viewing an article from our legacy
"FastTrack"publication program, made available for
informational purposes. Articlesin this program were published without a
requirement for independentediting or verification and are provided
"as is" withoutguarantee.
Before using any information from this article, independently verify
itssuitability for your situation and project.
Issue
- Vulnerability for Tomcat discovered after moving to Liferay DXP 7.4.
- How to remediate Apache Tomcat 9 Remote Code Execution (RCE) Via Write Enabled Default Servlet Vulnerability (CVE-2024-50379) and Denial of Service (DoS) via OutOfMemoryError (CVE-2024-56337).
Environment
- Liferay DXP 7.4
- Apache Tomcat 9.0.0.M1 to 9.0.97
Resolution
- These vulnerabilities are not exploitable in Liferay DXP default bundles because they require a change in the default
init parameter of the default servlet. They are also not exploitable on case-sensitive operating systems like Linux.
- If these vulnerabilities are still a concern, you can mitigate them by upgrading to a Tomcat version where the issue is fixed, such as Tomcat 9.0.98.
- If using Docker, see the documentation on Providing Files to the Container for instructions on how to provide the updated Tomcat bundle to the Docker container. Alternatively, you can create your own bundle locally by following the documentation on Installing on Tomcat.
Did this article resolve your issue ?