Apache Tomcat: Remote Code Execution (RCE) and Information Disclosure, CVE-2025-XXXX (High Severity)

By /

This vulnerability in Apache Tomcat arises due to improper handling of path equivalence in the `file.Name` parameter, specifically involving internal dots. When the default servlet is write-enabled (disabled by default), an attacker can exploit partial PUT requests to upload malicious content or disclose sensitive information. The issue is exacerbated if the application uses file-based session persistence with the default storage location and includes a deserialization-prone library, potentially leading to Remote Code Execution (RCE).
The vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Attackers can exploit this by leveraging partial PUT requests to inject malicious content into uploaded files or access sensitive files if they know their names. The severity is high due to the potential for RCE and data compromise. Users are advised to upgrade to patched versions: 11.0.3, 10.1.35, or 9.0.99.

DailyCVE Form:

Platform: Apache Tomcat
Version: 11.0.0-M1 to 11.0.2
Vulnerability: RCE/Info Disclosure
Severity: High
Date: Mar 10, 2025

What Undercode Say:

Exploitation:

  1. Partial PUT Request: Attackers use partial PUT requests to upload malicious files. 
    curl -X PUT -d @malicious.txt http://target:8080/path/to/file
  2. Path Traversal: Exploit internal dot path equivalence to access sensitive files. 
    curl http://target:8080/path/to/../sensitive/file
  3. Deserialization: Leverage file-based session persistence to execute malicious code. 
    ObjectInputStream ois = new ObjectInputStream(new FileInputStream("malicious.ser"));
ois.readObject();

Protection:

  1. Upgrade: Update to patched versions (11.0.3, 10.1.35, 9.0.99). 
    wget https://downloads.apache.org/tomcat/tomcat-11/v11.0.3/bin/apache-tomcat-11.0.3.tar.gz
  2. Disable Partial PUT: Disable partial PUT support in the server configuration. 
    <Connector port="8080" protocol="HTTP/1.1" allowPartialPut="false"/>
  3. Restrict Write Permissions: Ensure the default servlet is not write-enabled. 
    <servlet>
<servlet-name>default</servlet-name>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
  4. Input Validation: Validate file names and paths to prevent path traversal. 
    if (fileName.contains("..")) {
throw new SecurityException("Invalid file name");
}
  5. Session Persistence: Avoid file-based session persistence or secure the storage location. 
    <Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="false"/>

Analytics:

  • Affected Versions: 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98.
  • Attack Vector: Network-based, partial PUT requests.
  • Impact: High (RCE, data disclosure, data corruption).
  • Mitigation: Upgrade, disable partial PUT, restrict write permissions.
    By following these steps, users can mitigate the risks associated with this vulnerability and secure their Apache Tomcat servers.

References:

Reported By: https://github.com/advisories/GHSA-83qj-6fr2-vhqg
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top