Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
For those of us that are not intimately familiar with the Apache Tomcat packaging ecosystem, could you please provide a list of RPM package names that we should be investigating for version compliance? Thanks!
A quick guess finds on my EL8 system: tomcat-9.0.87-1.el8_10.2.noarch which appears to not meet the recommendation in comment #1. AFAIK my system is fully up-to-date. Will an updated EL8 package be released to mitigate this vulnerability?
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2025:3455 https://access.redhat.com/errata/RHSA-2025:3455
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.8 on RHEL 7 Red Hat JBoss Web Server 5.8 on RHEL 8 Red Hat JBoss Web Server 5.8 on RHEL 9 Via RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454
(In reply to errata-xmlrpc from comment #5) > This issue has been addressed in the following products: > > Red Hat JBoss Web Server > > Via RHSA-2025:3455 https://access.redhat.com/errata/RHSA-2025:3455 (In reply to errata-xmlrpc from comment #6) > This issue has been addressed in the following products: > > Red Hat JBoss Web Server 5.8 on RHEL 7 > Red Hat JBoss Web Server 5.8 on RHEL 8 > Red Hat JBoss Web Server 5.8 on RHEL 9 > > Via RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454 How does this relate to folks that have tomcat-9.0.87-1.el8_10.2.noarch installed on their EL8 systems as dependencies of other software suites on EL8, such IDM?
Hello, (In reply to Brian J. Murrell from comment #7) > (In reply to errata-xmlrpc from comment #5) .... > > Via RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454 > > How does this relate to folks that have tomcat-9.0.87-1.el8_10.2.noarch > installed on their EL8 systems as dependencies of other software suites on > EL8, such IDM? First confirming that the tomcat package is the correct package to check. Second, the RHSA noted in the comment is for a different, layered product so it doesn't affect the RHEL tomcat packages. Those will be addressed in separate releases at a later date. In response to your previous note: > which appears to not meet the recommendation in comment #1. AFAIK my system is fully up-to-date. The issue will be addressed in the tomcat package by backporting the fix to the version (9.0.87) that we provide support for, not by updating to the latest available upstream version. There will be further comments on this BZ issue with RHSA's that address RHEL streams are released. Please let us know if you have other questions.
(In reply to Coty Sutherland from comment #8) > Hello, > > (In reply to Brian J. Murrell from comment #7) > > (In reply to errata-xmlrpc from comment #5) > .... > > > Via RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454 > > > > How does this relate to folks that have tomcat-9.0.87-1.el8_10.2.noarch > > installed on their EL8 systems as dependencies of other software suites on > > EL8, such IDM? > > First confirming that the tomcat package is the correct package to check. > Second, the RHSA noted in the comment is for a different, layered product so > it doesn't affect the RHEL tomcat packages. Those will be addressed in > separate releases at a later date. > > In response to your previous note: > > which appears to not meet the recommendation in comment #1. AFAIK my system is fully up-to-date. > > The issue will be addressed in the tomcat package by backporting the fix to > the version (9.0.87) that we provide support for, not by updating to the > latest available upstream version. > > There will be further comments on this BZ issue with RHSA's that address > RHEL streams are released. > > Please let us know if you have other questions. Can we know when Tomcat version 9.0.87 security vulnerability in RHEL8 fix is going to be released? Will the RHEL8 next patches release include the Tomcat fix? Some of us need this information for the leadership. They want to know when RedHat is going to address this issue. We need a date.
(In reply to Coty Sutherland from comment #8) > Hello, > > (In reply to Brian J. Murrell from comment #7) > > (In reply to errata-xmlrpc from comment #5) > .... > > > Via RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454 > > > > How does this relate to folks that have tomcat-9.0.87-1.el8_10.2.noarch > > installed on their EL8 systems as dependencies of other software suites on > > EL8, such IDM? > > First confirming that the tomcat package is the correct package to check. > Second, the RHSA noted in the comment is for a different, layered product so > it doesn't affect the RHEL tomcat packages. Those will be addressed in > separate releases at a later date. > > In response to your previous note: > > which appears to not meet the recommendation in comment #1. AFAIK my system is fully up-to-date. > > The issue will be addressed in the tomcat package by backporting the fix to > the version (9.0.87) that we provide support for, not by updating to the > latest available upstream version. > > There will be further comments on this BZ issue with RHSA's that address > RHEL streams are released. > > Please let us know if you have other questions. Can we know when the fix will be backported to Tomcat version 9.0.87? Will the RHEL8 next patches release include the Tomcat fix? Is there any specific date for the RHSA release? Before RedHat official fix, is there any technical approach that can be used to backport the fix to Tomcat version 9.0.87?
When the fix shall be coming for IPA PKI Server tomcat as it is on same version i.e. Name : tomcat Epoch : 1 Version : 9.0.87 Release : 2.el9 Architecture: noarch Install Date: Mon 17 Mar 2025 02:29:17 PM IST Group : Unspecified Size : 330049 License : ASL 2.0 Signature : RSA/SHA256, Wed 21 Aug 2024 07:00:23 PM IST, Key ID 199e2f91fd431d51 Source RPM : tomcat-9.0.87-2.el9.src.rpm
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2025:3609 https://access.redhat.com/errata/RHSA-2025:3609
This issue has been addressed in the following products: Red Hat JBoss Web Server 6.1 on RHEL 8 Red Hat JBoss Web Server 6.1 on RHEL 9 Via RHSA-2025:3608 https://access.redhat.com/errata/RHSA-2025:3608
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:3645 https://access.redhat.com/errata/RHSA-2025:3645
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2025:3646 https://access.redhat.com/errata/RHSA-2025:3646
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:3647 https://access.redhat.com/errata/RHSA-2025:3647
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:3683 https://access.redhat.com/errata/RHSA-2025:3683
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2025:3684 https://access.redhat.com/errata/RHSA-2025:3684
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7494 https://access.redhat.com/errata/RHSA-2025:7494
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:7497 https://access.redhat.com/errata/RHSA-2025:7497