CVE-2024-56337: 
Java vulnerability analysis and mitigation

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability affects Apache Tomcat versions from 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. This vulnerability represents an incomplete mitigation of a previous issue (CVE-2024-50379) and primarily affects systems running Tomcat on case-insensitive file systems with the default servlet write enabled (Apache List, NVD).

The vulnerability is classified as a Time-of-check Time-of-use (TOCTOU) race condition that can occur when concurrent read and upload operations are performed under load on the same file. This can bypass Tomcat's case sensitivity checks, potentially causing an uploaded file to be treated as a JSP, leading to remote code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Hacker News, NetApp Advisory).

Successful exploitation of this vulnerability could lead to remote code execution (RCE), allowing attackers to execute arbitrary code on affected systems. The vulnerability can result in disclosure of sensitive information, modification of data, or Denial of Service (DoS) (Hacker News, NetApp Advisory).

Different mitigation steps are required based on the Java version in use: For Java 8 or Java 11, the system property sun.io.useCanonCaches must be explicitly set to false; for Java 17, if the property is set, it must be false; for Java 21 and later versions, no additional configuration is required. Fixed versions include Tomcat 11.0.2 or later, 10.1.34 or later, and 9.0.98 or later (NVD, Hacker News).