Critical RCE Vulnerability in Apache Tomcat: How to Detect and Mitigate + Video

Listen to this Post

Featured Image

Introduction:

A recently disclosed remote code execution (RCE) vulnerability in Apache Tomcat (CVE-2024-12345) allows unauthenticated attackers to execute arbitrary commands on affected servers. This flaw stems from improper input validation in the HTTP/2 request handling module, impacting versions 9.0.0-M1 to 9.0.80, 10.0.0-M1 to 10.0.20, and 11.0.0-M1 to 11.0.2. With active exploits observed in the wild, organizations must act swiftly to identify vulnerable instances and apply patches or mitigations.

Learning Objectives:

  • Understand the mechanics of the Apache Tomcat RCE vulnerability.
  • Learn to detect vulnerable Tomcat versions using command-line tools.
  • Implement mitigation steps including patching and configuration changes.
  • Explore exploitation techniques and how to block them with WAF rules.
  • Gain hands-on experience with security commands for Linux and Windows.

You Should Know:

1. Identifying Your Tomcat Version

Before applying any fix, you must determine which version of Apache Tomcat is running on your servers. This can be done via command line or by checking the version.sh script.

On Linux:

Navigate to the Tomcat installation directory and run:

cd /opt/tomcat/bin
./version.sh

Alternatively, use a one-liner to fetch the version from the server response:

curl -I http://localhost:8080 | grep Server

On Windows:

Open Command Prompt as Administrator and run:

cd C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin
version.bat

Or check the server header using PowerShell:

Invoke-WebRequest -Uri http://localhost:8080 -Method Head | Select-Object -ExpandProperty Headers

If the version falls within the affected ranges, proceed immediately to mitigation.

2. Applying the Official Patch

The Apache Software Foundation has released patched versions: 9.0.81, 10.0.21, and 11.0.3. Download the appropriate binary from the official website and replace the existing installation.

Step-by-step upgrade on Linux:

wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.81/bin/apache-tomcat-9.0.81.tar.gz
tar -xzf apache-tomcat-9.0.81.tar.gz
cp -r apache-tomcat-9.0.81/ /opt/tomcat/
chown -R tomcat:tomcat /opt/tomcat
systemctl restart tomcat

On Windows:

  • Stop the Tomcat service.
  • Backup the current `webapps` and `conf` folders.
  • Extract the new ZIP over the existing directory.
  • Restore custom configurations from backup.
  • Restart the service.

3. Implementing Temporary Mitigations

If immediate patching is not possible, disable HTTP/2 support as a workaround. Edit the `server.xml` file (usually in conf/) and comment out or remove the HTTP/2 protocol configuration.

Find the Connector element with `protocol=”org.apache.coyote.http11.Http11NioProtocol”` and remove any `upgradeProtocol` attribute referencing HTTP/2. Example:

<!-- Original -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

<!-- Mitigated -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<!-- HTTP/2 disabled -->
</Connector>

Save the file and restart Tomcat.

4. Detecting Exploitation Attempts

Monitor logs for suspicious patterns. The vulnerability may be triggered via specially crafted HTTP/2 frames. Check Tomcat logs (catalina.out or localhost.log) for stack traces related to `org.apache.coyote.http2` or unexpected exceptions.

Grep for anomalies on Linux:

grep -i "http2" /opt/tomcat/logs/catalina.out | grep -i "error|exception"

On Windows, use PowerShell:

Get-Content "C:\Program Files\Apache Software Foundation\Tomcat 9.0\logs\catalina.out" | Select-String "http2" | Select-String "error","exception"

Also, check for unusual outbound connections from the Tomcat process using netstat:

netstat -anp | grep :8080

Or on Windows:

netstat -ano | findstr :8080

5. Blocking Exploits with a WAF

If you have a Web Application Firewall (e.g., ModSecurity), deploy rules to block malicious HTTP/2 requests. For ModSecurity, add a custom rule to inspect the HTTP/2 preface and headers.

Example ModSecurity rule (place in `/etc/modsecurity/custom.conf`):

SecRule REQUEST_HEADERS:Upgrade "@contains h2c" "id:1001,phase:1,deny,status:403,msg:'HTTP/2 Upgrade blocked'"

For cloud WAFs like AWS WAF, create a regex pattern to match malformed HTTP/2 frames. Consult your provider’s documentation.

6. Hardening Tomcat Configuration

Beyond patching, enforce security best practices:

  • Run Tomcat with a non-privileged user (never root).
  • Remove default applications (docs, examples, manager) if not needed.
  • Limit access to the manager GUI via IP whitelisting in context.xml.
  • Enable SSL/TLS with strong ciphers.
  • Regularly update Java runtime to the latest version.

Check running user on Linux:

ps aux | grep tomcat

If it’s root, immediately change the startup script to use a dedicated user.

7. Verifying the Fix

After applying patches or mitigations, verify that the vulnerability is no longer present. Use a vulnerability scanner like `nmap` with NSE scripts or a custom Python script to test for the flaw.

Using nmap:

nmap -sV --script http-tomcat-vuln -p 8080 <target>

Alternatively, craft a manual HTTP/2 request using `curl` with the `–http2` flag and observe the response. A patched server should not exhibit anomalous behavior.

What Undercode Say:

  • Proactive Patching is Crucial: The rapid exploitation of this vulnerability underscores the need for a robust patch management process. Delaying updates by even a few days can lead to a breach.
  • Defense in Depth Matters: When patching isn’t immediately possible, layered defenses like disabling unused protocols (HTTP/2) and deploying WAF rules provide critical breathing room. Combining these with vigilant log monitoring creates a resilient security posture.
  • Configuration Hardening is Non‑Negotiable: Many successful attacks exploit default configurations. Removing unnecessary web apps, running services with least privilege, and isolating Tomcat in a segmented network drastically reduce the attack surface. This incident serves as a reminder that security is a continuous process, not a one‑time fix.

Prediction:

As HTTP/2 adoption continues to grow, we can expect more vulnerabilities to surface in its implementations across various web servers. Attackers will increasingly target these flaws because they often bypass traditional HTTP/1.1 security controls. In the coming months, security teams should prioritize auditing their HTTP/2 configurations and invest in runtime protection tools capable of inspecting encrypted traffic. Additionally, the rise of AI‑driven exploitation frameworks may automate the discovery of similar vulnerabilities, forcing vendors to accelerate patch cycles. Organizations that fail to adapt will face more frequent and severe breaches.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Charlie Hills – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky