Alert - Vulnerability impacting Apache Tomcat (CVE-2025-24813)

Number: AL25-002
Date: March 19, 2025

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On March 10, 2025, Apache published a security advisory^{Footnote 1} regarding vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (CVE-2025-24813) impacting the Apache Tomcat web server software in the following versions:

• Apache Tomcat – versions 11.0.0-M1 to 11.0.2
• Apache Tomcat – versions 10.1.0-M1 to 10.1.34
• Apache Tomcat – versions 9.0.0.M1 to 9.0.98

This vulnerability could allow a malicious actor to view or inject arbitrary content to security-sensitive files or achieve remote code execution. The exploit does not require authentication AuthenticationA process or measure used to verify a users identity. and is caused by Tomcat accepting partial PUT requests and its default session persistence^{Footnote 2Footnote 3}

Additionally, Apache states that the following conditions are required for a malicious actor to view or inject content into security sensitive files^{Footnote 1}:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

Apache also states that the following conditions are required for a malicious actor to achieve remote code execution^{Footnote 1}:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

In response to this advisory, the Cyber Centre released advisory AV25-127 on March 10^{Footnote 4}.

Suggested Actions

Organizations should review their configurations in determining their risk. They should also verify if they are running any vulnerable versions of Apache Tomcat.

Organizations are advised to update to the following versions of Apache Tomcat^{Footnote 1}:

• Apache Tomcat – version 11.0.3 or later
• Apache Tomcat – version 10.1.35 or later
• Apache Tomcat – version 9.0.99 or later

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security Actions ^{Footnote 5} with an emphasis on the following topics:

• Consolidating, monitoring, and defending Internet gateways.
• Patch operating systems and applications.
• Isolate web-facing applications.
• Harden operating systems and applications.

Determine if associated malicious activity has occurred in potentially vulnerable systems. Should this be the case, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.