{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-014.pdf"
    },
    "title": "Critical Vulnerability in Apache Tomcat",
    "serial_number": "2025-014",
    "publish_date": "03-04-2025 14:55:02",
    "description": "On March 10, 2025, Apache released a security advisory regarding a critical vulnerability affecting the Apache Tomcat product.<br>\nIt is recommended updating the affected assets to a fixed version of Apache Tomcat.<br>\n",
    "url_title": "2025-014",
    "content_markdown": "---    \ntitle: 'Critical Vulnerability in\u00a0Apache\u00a0Tomcat'\nnumber: '2025-014'\nversion: '1.0'\noriginal_date: '2025-04-03'\ndate: '2025-04-03'\n---\n\n_History:_\n\n* _03/04/2025 --- v1.0 -- Initial publication_\n\n# Summary \n\nOn March 10, 2025, Apache released a security advisory [1] regarding a critical vulnerability affecting the Apache Tomcat product.\n\nIt is recommended updating the affected assets to a fixed version of Apache Tomcat.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-24813**, with a CVSS score of 9.8, lies in the Apache Tomcat\u2019s partial PUT feature. Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialisation [1,2].\n\nAn attacker could view security sensitive files and/or inject content into those files if all of the following are true:\n\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n\n_Note: other conditions are listed by the vendors, but disputed by researchers._\n\nAn attacker could achieve remote code execution if all of the following are true:\n\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- application is using Tomcat's file-based session persistence (disabled by default) with the default storage location\n- application included a library that may be leveraged in a deserialisation attack (this is the case for many Java applications)\n\n# Affected Products\n\nThe following versions of Apache Tomcat are affected:\n\n- Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later)\n- Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later)\n- Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later)\n\n# Recommendations\n\nCERT-EU recommends updating the affected products to the latest version.\n\n# References \n\n[1] <https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq>\n\n[2] <https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>03/04/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 10, 2025, Apache released a security advisory [1] regarding a critical vulnerability affecting the Apache Tomcat product.</p><p>It is recommended updating the affected assets to a fixed version of Apache Tomcat.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-24813</strong>, with a CVSS score of 9.8, lies in the Apache Tomcat\u2019s partial PUT feature. Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialisation [1,2].</p><p>An attacker could view security sensitive files and/or inject content into those files if all of the following are true:</p><ul><li>writes enabled for the default servlet (disabled by default)</li><li>support for partial PUT (enabled by default)</li></ul><p><em>Note: other conditions are listed by the vendors, but disputed by researchers.</em></p><p>An attacker could achieve remote code execution if all of the following are true:</p><ul><li>writes enabled for the default servlet (disabled by default)</li><li>support for partial PUT (enabled by default)</li><li>application is using Tomcat's file-based session persistence (disabled by default) with the default storage location</li><li>application included a library that may be leveraged in a deserialisation attack (this is the case for many Java applications)</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>The following versions of Apache Tomcat are affected:</p><ul><li>Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later)</li><li>Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later)</li><li>Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later)</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating the affected products to the latest version.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq\">https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/\">https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}