Skip to main content
Skip table of contents

Critical Tomcat vulnerability (CVE-2024-56337, CVE-2024-50379)

Latest update date of this article:
2025-01-08

General information

A new critical security vulnerability for Tomcat application servers was reported on 2024-12-20. The vulnerability opens a remote code execution (RCE) flaw, which can only be abused on operating systems with non-case-sensitive file systems. This practically affects all Tomcat servers running on Windows Server. We recommend all customers running Tomcat-based Nexus components to update their systems as described below.

Linux-based or Docker-based installations are not affected.

Official sites for the CVEs

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

Affected components

Only Tomcat installations on non-case insensitive file systems (for example Windows Server) are affected.

If you have one of the following Nexus server components hosted on Windows, please update your Tomcat installation(s):

  • Identity Manager

  • Hermod

Update Tomcat version

Users are recommended to upgrade to Tomcat version 9.0.98,10.1.34 or 11.0.2, which fixes the issue.

Tomcat version 9.0.x:

  • Update to 9.0.98 or higher

Tomcat version 10.1.x:

  • Update to 10.1.34 or higher

Tomcat version 11.0.x:

  • Update to 11.0.2 or higher

Tomcat startup configuration

Ensure that the Java system property sun.io.useCanonCache is set for Tomcat as described below:

Running on Java 8 or Java 11:

  • Set the system property sun.io.useCanonCaches to false. It defaults to true.

Running on Java 17:

  • Set the system property sun.io.useCanonCaches, if set, to false. It defaults to false.

Running on Java 21 and later versions:

  • No further configuration is required. The system property and the problematic cache have been removed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close