| Summary: Xerox evaluated DocuShare for exposure to Apache Tomcat CVE-2024-50379. Current patched DocuShare builds use Apache Tomcat 9.0.106, which is newer than the Tomcat fix level for this CVE. In addition, the DocuShare Tomcat DefaultServlet remains in its default read-only mode, which blocks the write path required for exploitation. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Covered by this advisory. Review only if your environment includes Tomcat customizations or an older unpatched Tomcat level. |
| DocuShare 7.6 | Covered by this advisory. Review only if your environment includes Tomcat customizations or an older unpatched Tomcat level. |
| DocuShare 7.7 | Covered by this advisory. Review only if your environment includes Tomcat customizations or an older unpatched Tomcat level. |
| DocuShare 8.0 | Covered by this advisory. Current patched builds are not affected under the shipped Xerox configuration. |
Overview
CVE-2024-50379 is an Apache Tomcat vulnerability that can allow remote code execution in specific configurations. The issue is associated with case-insensitive file systems and a writable Tomcat DefaultServlet path that permits crafted file upload or overwrite behavior.
This article explains what the CVE requires, how it relates to DocuShare, and what action you should take if you maintain a customized or older deployment.
What the Vulnerability Requires
This vulnerability is not triggered by Tomcat version alone. The exploit path depends on a specific combination of conditions.
- A Tomcat version in an affected range prior to the fixed release on the relevant major branch.
- A case-insensitive file system, such as a typical Windows file system.
- The Tomcat DefaultServlet configured to allow writes, typically by setting readonly=false.
- An upload or overwrite path that lets an attacker place or alter content in a location later interpreted as executable server-side content such as a JSP.
| Important: In DocuShare, the shipped Tomcat DefaultServlet configuration does not set readonly=false. The deployed Tomcat global web.xml keeps the DefaultServlet in its default read-only state and only overrides the listings parameter. |
DocuShare Assessment
| Assessment Item | Finding |
| Tomcat level used by current patched DocuShare builds | Apache Tomcat 9.0.106 |
| Tomcat fix level for the 9.0.x | Tomcat 9.0.99 or later |
| DefaultServlet write support in shipped DocuShare config | Not enabled; readonly is not overridden, so the Tomcat default read-only behavior remains in effect |
| DocuShare current patched builds | Not affected |
DocuShare ships with Apache Tomcat 9.0.106. That level is newer than the Tomcat 9.0.x fix boundary commonly associated with CVE-2024-50379. Xerox also replaces Tomcat's global web.xml during deployment with the DocuShare-supplied configuration, and that file does not enable DefaultServlet write access.
What You Should Do
- If you are running a current patched DocuShare build with the Xerox-supplied Tomcat configuration, no additional action is required for this CVE.
- If you maintain an older or customized Tomcat deployment, confirm that your Tomcat level is at or above the fixed release for your branch.
- Do not enable write support on the Tomcat DefaultServlet unless you have a specific and reviewed requirement.
- If you have manually modified Tomcat web.xml or related servlet settings, review those changes to confirm readonly has not been set to false for the DefaultServlet.
Affected Version Guidance
| Item | Guidance |
| Current patched DocuShare builds | Use Apache Tomcat 9.0.106 and are not affected by this CVE under the shipped configuration. |
| Older unpatched Tomcat 9.0.x deployments | Review whether the Tomcat level is older than 9.0.98 and whether any custom write-enabled DefaultServlet configuration is present. |
| Windows deployments with custom Tomcat changes | Review carefully, because the case-insensitive file system condition is relevant on Windows. |
Why DocuShare Is Not Exposed Under the Shipped Configuration
- The shipped DocuShare Tomcat configuration only overrides the listings parameter for the DefaultServlet.
- The shipped configuration does not set readonly=false for the DefaultServlet.
- Current patched DocuShare builds reference Apache Tomcat 9.0.106, which is already beyond the Tomcat 9.0.x fix level for this CVE.
Customer Questions
If your organization asks whether DocuShare itself contains the defect, the answer is no. This CVE is an Apache Tomcat issue that depends on a vulnerable Tomcat version and an unsafe writable servlet configuration. Xerox DocuShare evaluated the current DocuShare deployment model and found that the shipped configuration does not expose that path.