tomcat-9.0.87-2.el9_5.1

エラータID: AXSA:2025-9840:01

Release date: 
Wednesday, April 9, 2025 - 16:52
Subject: 
tomcat-9.0.87-2.el9_5.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: RCE due to TOCTOU issue in JSP compilation (CVE-2024-50379)
* tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-50379
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Solution: 

Update packages.

CVEs: 
CVE-2024-50379
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-9.0.87-2.el9_5.1.src.rpm
    MD5: ff25c0263afbe8bbbfd1092805a6a342
    SHA-256: 687c4f26523f7d5324342498fb2a185d825624add880d73ce18d5f03b125584c
    Size: 15.12 MB

Asianux Server 9 for x86_64
  1. tomcat-9.0.87-2.el9_5.1.noarch.rpm
    MD5: 893283dcb449f8affe73ee946353bb77
    SHA-256: c6ac3ef24f9e4286f6e9aff90b931f54e7ee532b60a23ac4aa5027d8fcdc93d3
    Size: 98.33 kB
  2. tomcat-admin-webapps-9.0.87-2.el9_5.1.noarch.rpm
    MD5: d59526d1809472ee3fef1d6c337483e8
    SHA-256: 2ca2e1faa822aee632b1a1f0ca642ff7c99a532d67f15e96706d8e044fc87efd
    Size: 79.15 kB
  3. tomcat-docs-webapp-9.0.87-2.el9_5.1.noarch.rpm
    MD5: 04c13d84c6993217803b3fcccec86d19
    SHA-256: ea4c75bfd062ae290d3e316286ad5f47e4b6ac8bdfee06f2dd3c938094ade4d9
    Size: 725.50 kB
  4. tomcat-el-3.0-api-9.0.87-2.el9_5.1.noarch.rpm
    MD5: 3ee61ae03d44954b5fc8f7698f1d568e
    SHA-256: 14846ec73dc939baba48ec04d117c0bcab0ea5316159f0a9b679398061520df9
    Size: 104.90 kB
  5. tomcat-jsp-2.3-api-9.0.87-2.el9_5.1.noarch.rpm
    MD5: 88a643d795c70e7dde81b1b892d549ae
    SHA-256: e4fb96fd5fef9a464a2672c39716ca551777a8314b7f1c4370b3fab6391ba5e8
    Size: 71.84 kB
  6. tomcat-lib-9.0.87-2.el9_5.1.noarch.rpm
    MD5: 84ec2cb30ccb8bf050f647dfc024af8a
    SHA-256: ea97d9bbd4ace12821c4221b1b0ebbbb760a251acaf6aa6c30f15b4ed0f822ab
    Size: 5.97 MB
  7. tomcat-servlet-4.0-api-9.0.87-2.el9_5.1.noarch.rpm
    MD5: a190ecb131d6070ae71ec5e30a9c4363
    SHA-256: 26092fd951dc14074de936473daeb80ddc3349449c845a0844692cf0db35b1a4
    Size: 283.87 kB
  8. tomcat-webapps-9.0.87-2.el9_5.1.noarch.rpm
    MD5: e8a93bd688690f21beb5c68b5b6dd283
    SHA-256: 4c625a392c0d6f0af21ac754bbb4febfdcf2f09221204ef257cf1e69a8a6f1ca
    Size: 80.02 kB