security@apache.org reports:
Time-of-check Time-of-use (TOCTOU) Race Condition
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the
default servlet write enabled (readonly initialisation parameter
set to the non-default value of false) may need additional configuration
to fully mitigate CVE-2024-50379 depending on which version of Java
they are using with Tomcat: - running on Java 8 or Java 11: the
system propertysun.io.useCanonCaches must be explicitly set to false
(it defaults to true) - running on Java 17: thesystem property
sun.io.useCanonCaches, if set, must be set to false(it defaults to
false) - running on Java 21 onwards: no further configuration is
required(the system property and the problematic cache have been
removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks
thatsun.io.useCanonCaches is set appropriately before allowing the
default servlet to be write enabled on a case insensitive file
system. Tomcat will also setsun.io.useCanonCaches to false by
default where it can.