Sage CRM

CVE-2024-56337 is a race condition vulnerability in Apache Tomcat that affects Sage CRM when installed on Windows Servers with the default servlet set to write-enabled. This issue, tied to Java runtime configurations, can lead to security risks or system instability. Sage CRM installations using Apache Tomcat Version 9.0, paired with either Eclipse Temurin JRE 8 or Oracle JRE 8, are impacted. To address the vulnerability, Apache provides mitigation guidance, which includes updating the catalina.bat file within Tomcat to modify configuration options and restarting the server. Prompt application of the mitigation is recommended for all affected Sage CRM installations, including those integrated with Sage accounting products.

Read the full announcement on the Sage Community - https://communityhub.sage.com/sage-global-solutions/sage-crm/f/announcements/241236/advisory-action-required-for-sage-crm-customers-to-mitigate-cve-2024-56337

Please note that this action applies to Sage CRM standalone and when integrated with Sage accounting products; Sage 50, Sage 100, Sage 200, Sage 1000, Sage 300, Sage X3 and Sage Intacct.