| Summary: Xerox evaluated DocuShare for exposure to Apache Tomcat CVE-2024-56337. Under the Xerox-supplied Tomcat configuration, DocuShare is not affected because the Tomcat DefaultServlet remains read-only and the write-enabled path required for exploitation is not present. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Current patched builds are not affected under the Xerox-supplied configuration. |
| DocuShare 7.6 | Current patched builds are not affected under the Xerox-supplied configuration. |
| DocuShare 7.7 | Current patched builds are not affected under the Xerox-supplied configuration. |
| DocuShare 8.0 | Current patched builds are not affected under the Xerox-supplied configuration. |
Overview
CVE-2024-56337 is a follow-on Apache Tomcat issue related to the incomplete mitigation of CVE-2024-50379. It is relevant on case-insensitive file systems when the Tomcat DefaultServlet has been configured for writes.
This article explains why the standard Xerox DocuShare deployment does not expose that path and what you should verify if your organization has customized Tomcat beyond the shipped configuration.
What the Vulnerability Requires
The issue requires multiple conditions to be true at the same time.
- A Tomcat level in the affected version range prior to the fixed release for the 9.0.x branch.
- A case-insensitive file system such as a typical Windows file system.
- The Tomcat DefaultServlet configured with readonly=false so uploads or overwrites are permitted.
- Java runtime behavior that leaves the canonical path cache in a vulnerable state when that write-enabled servlet path is used.
DocuShare Assessment
| Assessment Item | Finding |
| DocuShare shipped DefaultServlet configuration | Read-only; the Xerox-supplied global web.xml does not enable write support. |
| Tomcat write-enabled servlet path required for exploit | Not present in the standard DocuShare deployment. |
| Current patched DocuShare builds | Not affected under the shipped Xerox configuration. |
| Important: If your organization has manually enabled Tomcat DefaultServlet writes or substantially customized Tomcat behavior, review those changes carefully because that is the core prerequisite for this CVE. |
What You Should Do
- If you are using the Xerox-supplied Tomcat configuration, no additional action is required for this CVE.
- If you have customized Tomcat, confirm that the DefaultServlet has not been made write-enabled.
- If your security policy requires fixed Tomcat levels even when the trigger conditions are absent, review your Tomcat against Apache Tomcat 9.0.99 or later.