CVE-2024-46544: 
Apache Tomcat vulnerability analysis and mitigation

An Incorrect Default Permissions vulnerability (CVE-2024-46544) was discovered in Apache Tomcat Connectors affecting versions from 1.2.9-beta through 1.2.49. The vulnerability specifically impacts modjk on Unix-like systems, while neither the ISAPI redirector nor modjk on Windows is affected. The issue was disclosed on September 23, 2024, and has been assigned a CVSS v3.1 base score of 5.9 (Medium) (NVD, Apache Security).

The vulnerability stems from incorrect default permissions in the shared memory configuration of modjk. This security flaw allows local users to view and modify the shared memory containing modjk configuration data. The issue has been classified under CWE-276 (Incorrect Default Permissions) and received a CVSS v3.1 vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating local access with low attack complexity and no privileges required (NVD).

The vulnerability can lead to information disclosure and potential denial of service attacks. Local users can access and modify the shared memory containing mod_jk configuration, potentially compromising the security and stability of the Apache web server's communication with Tomcat (Openwall).

Users are strongly recommended to upgrade to Apache Tomcat Connectors version 1.2.50, which contains the fix for this vulnerability. Various Linux distributions have also released security updates to address this issue, including Red Hat Enterprise Linux and Debian (Red Hat Advisory, Debian Advisory).