CVE-2024-56337 describes a race condition vulnerability in Apache Tomcat that affects the version used by supported versions of Sage CRM.
Note: A race condition vulnerability is a software bug that occurs when multiple operations in a program are not executed in the correct order. This can lead to unexpected results such as system crashes or security breaches.
Apache Tomcat Version 9.0 is automatically installed by the Sage CRM Setup.
The issue affects Tomcat on Windows Servers when the default servlet has write enabled. Depending on the Java version running with Tomcat, additional configuration is needed to mitigate the risk.
Sage CRM 2024 R2 uses as its Java Runtime Environment, Eclipse Temurin JRE 8. The 64-bit version is automatically installed by the Sage CRM Setup. Alternatively, Oracle JRE 8, 32-bit version can be used, but it requires a purchased license.
Apache has issued guidance on how to mitigate the CVE-2024-56337 issue: tomcat.apache.org/security-9.html
Within Sage CRM the catalina.bat will need to be updated.
The line that starts with
set CATALINA_OPTS=
must be changed to
set CATALINA_OPTS="-Dsun.io.useCanonCaches=false"
The catalina.bat file then needs to be saved. Then Tomcat restarted.
Detailed steps to implement the mitigation
Note: A race condition vulnerability is a software bug that occurs when multiple operations in a program are not executed in the correct order. This can lead to unexpected results such as system crashes or security breaches.
Apache Tomcat Version 9.0 is automatically installed by the Sage CRM Setup.
The issue affects Tomcat on Windows Servers when the default servlet has write enabled. Depending on the Java version running with Tomcat, additional configuration is needed to mitigate the risk.
Sage CRM 2024 R2 uses as its Java Runtime Environment, Eclipse Temurin JRE 8. The 64-bit version is automatically installed by the Sage CRM Setup. Alternatively, Oracle JRE 8, 32-bit version can be used, but it requires a purchased license.
Apache has issued guidance on how to mitigate the CVE-2024-56337 issue: tomcat.apache.org/security-9.html
Within Sage CRM the catalina.bat will need to be updated.
The line that starts with
set CATALINA_OPTS=
must be changed to
set CATALINA_OPTS="-Dsun.io.useCanonCaches=false"
The catalina.bat file then needs to be saved. Then Tomcat restarted.
Detailed steps to implement the mitigation
- Navigate to the Tomcat directory:
- Go to the directory where Apache Tomcat is installed. The default installation path is
%ProgramFiles(x86)%\Sage\CRM\<InstallName>\tomcat\bin
Replace <InstallName> with the actual name of your installation (e.g. "CRM" or similar) - Open the catalina.bat file:
- In the bin folder, look for the file named catalina.bat.
- Right-click the file and select Edit to open it in a text editor (like Notepad).
- Find the CATALINA_OPTS Line:
Inside catalina.bat, locate the line that starts with
set CATALINA_OPTS=
It might appear twice, or you might see similar lines that set options for Tomcat. Look closely for the one that is specifically setting the options for Tomcat.
- Modify the CATALINA_OPTS:
- If you found the correct line, update it to include the following:
set CATALINA_OPTS="-Dsun.io.useCanonCaches=false"
- If you found the correct line, update it to include the following:
- Save the Changes:
- After making the modification, save the catalina.bat file and close the text editor.
- Restart Tomcat:
- Finally, restart the Tomcat server for the changes to take effect. You can do this by:
- Opening the Services application (type services.msc in the Start menu search).
- Find Apache Tomcat in the list of services.
- Right-click and select Restart.
- Finally, restart the Tomcat server for the changes to take effect. You can do this by:
Please note that this action applies to Sage CRM standalone and when integrated with Sage accounting products; Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.
In all cases, it’s our advice the mitigation is applied as soon as possible.