Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0954-1 Final 1 1 2025-03-19T13:50:54Z current 2025-03-19T13:50:54Z 2025-03-19T13:50:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - CVE-2025-24813: Fixed potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-954,SUSE-SLE-SERVER-12-SP5-LTSS-2025-954,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-954 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250954-1/ Link for SUSE-SU-2025:0954-1 https://lists.suse.com/pipermail/sle-security-updates/2025-March/020559.html E-Mail link for SUSE-SU-2025:0954-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1239302 SUSE Bug 1239302 https://www.suse.com/security/cve/CVE-2025-24813/ SUSE CVE CVE-2025-24813 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-9.0.36-3.139.1 tomcat-admin-webapps-9.0.36-3.139.1 tomcat-docs-webapp-9.0.36-3.139.1 tomcat-el-3_0-api-9.0.36-3.139.1 tomcat-embed-9.0.36-3.139.1 tomcat-javadoc-9.0.36-3.139.1 tomcat-jsp-2_3-api-9.0.36-3.139.1 tomcat-jsvc-9.0.36-3.139.1 tomcat-lib-9.0.36-3.139.1 tomcat-servlet-4_0-api-9.0.36-3.139.1 tomcat-webapps-9.0.36-3.139.1 tomcat-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-admin-webapps-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-docs-webapp-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-el-3_0-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-javadoc-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-jsp-2_3-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-lib-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-servlet-4_0-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-webapps-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tomcat-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-admin-webapps-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-docs-webapp-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-el-3_0-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-javadoc-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-jsp-2_3-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-lib-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-servlet-4_0-api-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-webapps-9.0.36-3.139.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue. CVE-2025-24813 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-admin-webapps-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-docs-webapp-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-el-3_0-api-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-javadoc-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-jsp-2_3-api-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-lib-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-servlet-4_0-api-9.0.36-3.139.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tomcat-webapps-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-admin-webapps-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-docs-webapp-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-el-3_0-api-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-javadoc-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-lib-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.139.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-webapps-9.0.36-3.139.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250954-1/ https://www.suse.com/security/cve/CVE-2025-24813.html CVE-2025-24813 https://bugzilla.suse.com/1239302 SUSE Bug 1239302