MFT Command Center and Internet Server are not affected by critical CVE-2024-50379 that can impact Apache Tomcat

MFT Command Center and Internet Server are not affected by critical CVE-2024-50379 that can impact Apache Tomcat

book

Article ID: KB0137214

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center All
TIBCO Managed File Transfer Internet Server All

Description

A critical vulnerability CVE-2024-50379 has been reported that can impact Apache Tomcat:

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

According to the CVE "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration)."

Environment

All supported environments

Resolution

MFT Command Center and Internet Server are not affected by CVE-2024-50379 . The default servlet is configured in the <MFT installation folder>/server/conf/web.xml file and MFT does not set the readOnly parameter, so it defaults to true.  This is only an issue if the default servlet is configured to be readOnly=false.

In addition, MFT does not use the default servlet.

Issue/Introduction

MFT Command Center and Internet Server are not affected by critical CVE-2024-50379 that can impact Apache Tomcat

Powered by Wolken Software