tomcat-9.0.87-1.el8_10.3

エラータID: AXSA:2025-9846:02

Release date: 
Thursday, April 10, 2025 - 16:54
Subject: 
tomcat-9.0.87-1.el8_10.3
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: RCE due to TOCTOU issue in JSP compilation (CVE-2024-50379)
* tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-50379
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Solution: 

Update packages.

CVEs: 
CVE-2024-50379
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-9.0.87-1.el8_10.3.src.rpm
    MD5: e6c8e608d4c83c98e98701698a4535ba
    SHA-256: af4ca00423879f6c0960334573c617a678648407e1e8bdb6733478213a36053d
    Size: 15.11 MB

Asianux Server 8 for x86_64
  1. tomcat-9.0.87-1.el8_10.3.noarch.rpm
    MD5: c85bc92243ca71b7633e5e5967d1c2af
    SHA-256: aefe95e7f37a5958c0421610c29f414ec9d563346a75601f19878880ad622e88
    Size: 93.40 kB
  2. tomcat-admin-webapps-9.0.87-1.el8_10.3.noarch.rpm
    MD5: ae4db6a41c179a90b664474758a20a3a
    SHA-256: 99a28df99472650f6e584fbc0b95ca948c3ae54f223605bebd646248441f90db
    Size: 74.34 kB
  3. tomcat-docs-webapp-9.0.87-1.el8_10.3.noarch.rpm
    MD5: 4e4b0c3857147ea30cd869025ae2ca77
    SHA-256: 1422e9472e4dd2e56783954c5ddafdb41cc27ea2e07f7cff95f6220b71244770
    Size: 755.50 kB
  4. tomcat-el-3.0-api-9.0.87-1.el8_10.3.noarch.rpm
    MD5: 22b78f2912e52ac3c7fd987e6eaaccf4
    SHA-256: 75993fb6c2163fbf836b93471d6c7336b1db27a3dc83b40b258544b60997337a
    Size: 107.37 kB
  5. tomcat-jsp-2.3-api-9.0.87-1.el8_10.3.noarch.rpm
    MD5: b62b0608c6bf0deec20a317768174db6
    SHA-256: 5edff6add4f1e159424e7b6a0149e015eec89c51235eafba3a57049308776aa3
    Size: 73.25 kB
  6. tomcat-lib-9.0.87-1.el8_10.3.noarch.rpm
    MD5: 7960dfa00d31c94688e830ca25e935b5
    SHA-256: c1ad122629dbef41f177814c10290617d85928e9f1666c07dd7af5222abd3a21
    Size: 6.04 MB
  7. tomcat-servlet-4.0-api-9.0.87-1.el8_10.3.noarch.rpm
    MD5: 8109817a06baa66ca02a33b85cfe13a1
    SHA-256: 1470a0639dd986d7efa501a79ca0a0a5d8804095b5c4830c394da7af78cb4e04
    Size: 287.93 kB
  8. tomcat-webapps-9.0.87-1.el8_10.3.noarch.rpm
    MD5: bc041e5e699865d9abe16d677d71fedb
    SHA-256: a2fe91d6af259d819679bbc6c63c15f6c19b2590270d37c94b512b097f75d14f
    Size: 81.75 kB