The LISTSERV® Maintainer's Support FAQ

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

https://nvd.nist.gov/vuln/detail/CVE-2024-50379

Mitigation

There are no releases of LISTSERV Maestro which ship with any of the versions of Apache Tomcat listed in the CVE.  LISTSERV Maestro has shipped with Apache Tomcat 7.0.94 since LISTSERV Maestro version 8.2-7 (17 May 2019) and continues to ship with that version of Apache Tomcat as of this writing (20 Dec 2024, and LISTSERV Maestro 11.1-3, released 28 Oct 2024).

An upgrade to a newer version of Apache Tomcat is scheduled for the release of LISTSERV Maestro 12, however neither the specific version of Tomcat nor the release date for LISTSERV Maestro 12 have been determined.  While we welcome inquiries via the usual L-Soft support addresses, please understand that the support department will have no concrete information until LISTSERV Maestro 12 is actually released.

The bottom line is that this CVE will not impact ANY LISTSERV Maestro customer or installation.

Also, LISTSERV itself does not ship with Apache Tomcat, and is not in and of itself affected by any Apache Tomcat vulnerability.