CVE-2024-23672: Medium Vulnerability in Apache Tomcat

CVE-2024-23672 is a medium-severity vulnerability affecting Apache Tomcat versions 11.0.0-M1 through 11.0.0-M16, 10.1.0-M1 through 10.1.18, 9.0.0-M1 through 9.0.85, and 8.5.0 through 8.5.98. This vulnerability allows for denial of service due to incomplete cleanup of WebSocket connections, leading to increased resource consumption. Older, end-of-life versions may also be affected.

As the CVSS score for this vulnerability is 6.3, it is classified as medium severity. Organizations should consider the potential impact on system availability, especially if they rely heavily on WebSocket connections for real-time communication.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99 to mitigate the issue. Given the nature of this vulnerability, organizations should prioritize patching to prevent potential resource exhaustion.

The urgency for defenders is moderate, and organizations should schedule remediation during their priority patch cycle to address this vulnerability.

Vulnerability Details

This vulnerability allows for a denial of service via an incomplete cleanup vulnerability in Apache Tomcat. The affected versions include: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, and from 8.5.0 through 8.5.98.

The CVSS score of 6.3 indicates a medium threat level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.

The affected products include Apache Tomcat, Debian Linux, and Fedora. The vulnerability was published on March 13, 2024.

Technical Analysis

The root cause of this vulnerability is related to the handling of WebSocket connections. Specifically, the incomplete cleanup can lead to an accumulation of open connections, which increases resource consumption on the server.

The attack vector is classified as network-based, allowing attackers to exploit this vulnerability remotely without physical access to the server.

The attack complexity is low, requiring only basic knowledge of WebSocket connections. The privileges required are low, meaning that an unauthenticated attacker could potentially exploit this vulnerability.

User interaction is not required to exploit this vulnerability, making it a more significant threat. The impacts on confidentiality, integrity, and availability are all categorized as low, but the denial of service could still lead to significant operational disruption.

Risk & Impact Analysis

Risk to organizations includes potential service disruptions due to exhaustible resources from open WebSocket connections. This can affect the availability of applications relying on these connections, leading to a degraded user experience or outright service outages.

Organizations should assess the potential impact on their applications, especially those that rely on Apache Tomcat for real-time communications. Given the medium severity, organizations should schedule remediation during their priority patch cycle.

The urgency for addressing this vulnerability is moderate, and organizations should implement patches as soon as feasible to mitigate potential risks.

Exploitation Status

Affected Versions

Affected versions include Apache Tomcat from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, and from 8.5.0 through 8.5.98. Users are advised to upgrade to versions 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99.

Mitigation & Remediation

To mitigate this vulnerability, organizations should ensure they upgrade to the fixed versions of Apache Tomcat. The recommended versions are 11.0.0-M17, 10.1.19, 9.0.86, or 8.5.99. If immediate upgrading is not possible, consider implementing appropriate network controls to restrict access to affected applications.

Penetration testing should also be conducted to identify any additional vulnerabilities that may exist within the environment.

Detection Guidance

Monitoring logs for unusual WebSocket connection patterns can help identify potential exploitation attempts. Look for indicators of high resource consumption related to WebSocket connections, as these may signify attempts to exhaust server resources.

AppSecure Threat Intelligence Insight

The significance of CVE-2024-23672 lies in its potential to affect the availability of applications relying on Apache Tomcat for WebSocket connections. This vulnerability highlights the importance of timely upgrades and the need for comprehensive monitoring of WebSocket traffic.

Organizations should ensure they have a robust application security assessment strategy to identify and remediate similar issues proactively.

In conclusion, organizations must prioritize patching and consider implementing red teaming exercises to ensure their defenses are robust against such vulnerabilities.