tomcat-7.0.76-16.0.3.el7.AXS7

エラータID: AXSA:2025-10787:07

Release date: 
Monday, September 1, 2025 - 09:59
Subject: 
tomcat-7.0.76-16.0.3.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Security Fix(es):

* CVE-2025-24813: fix path equivalence vulnerability leading to remote code
execution and information disclosure

CVE(s):
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Solution: 

Update packages.

CVEs: 
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Additional Info: 

N/A

Download: 

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: a61b365a71dba6d3d85dffae774068ab
    SHA-256: 1ef6e58f61f0d6f12ef19ed12e5d61bbf8349db093f6d12c5cd65a9def90ddfd
    Size: 92.99 kB
  2. tomcat-admin-webapps-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: 27d1a0ef0300ff2586c4c475e36b62c8
    SHA-256: f09dfbde1eccb3a1a39ea5b637b61cffc8af3d762a2d8156a443b4421314b7fd
    Size: 41.09 kB
  3. tomcat-el-2.2-api-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: 1516afed4ed47e137000c20839f05f4c
    SHA-256: b828405cc08a2ee3a9c0151589276d5e2640cd4c2ae9d53ac0b649fe7b7806bb
    Size: 82.33 kB
  4. tomcat-jsp-2.2-api-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: b08edbdd493832e18d6672acbc5ab4e8
    SHA-256: e7783fffbe2fb431fec83b1a502367cd972ebb399c7ee36900bb800cf5c9289d
    Size: 96.05 kB
  5. tomcat-lib-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: 9b9a5e738fdc2357b620122e1759f12f
    SHA-256: 5db8a095ecb525097a17266b49546fad67ce78fd1ec5dbe0e5345bda6a428fdc
    Size: 3.87 MB
  6. tomcat-servlet-3.0-api-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: 17e604d18163c8038119ad1dc6a5d28a
    SHA-256: 2913369e0b6ae6ed3efc96a01e035f6c9c00b720aa6e857c3ea584c412e41eca
    Size: 213.39 kB
  7. tomcat-webapps-7.0.76-16.0.3.el7.AXS7.noarch.rpm
    MD5: a0f8e25da9260009b45cbf1304007524
    SHA-256: ce557095f05bf2e43f17fbd83c2ae5bc3612d41f9f3e5325532df0aee5a6ac4f
    Size: 342.20 kB