Red Hat Enterprise Linux 9 update for tomcat

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU101814

Risk: Medium

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-50379

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux Server - AUS: 9.2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 9.2

Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 9.2

Red Hat Enterprise Linux for ARM 64 - Extended Update Support: 9.2

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions: 9.2

Red Hat Enterprise Linux for x86_64 - Extended Update Support: 9.2

tomcat (Red Hat package): All versions

CPE2.3

• cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_arm_64_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:a:red_hat:red_hat_enterprise_linux_server_for_ibm_power_le_-_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_x86_64_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:a:red_hat:tomcat_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*

External links

https://access.redhat.com/errata/RHSA-2025:3646

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU105485

Risk: Critical

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2025-24813

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux Server - AUS: 9.2

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support: 9.2

Red Hat Enterprise Linux for Power, little endian - Extended Update Support: 9.2

Red Hat Enterprise Linux for ARM 64 - Extended Update Support: 9.2

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions: 9.2

Red Hat Enterprise Linux for x86_64 - Extended Update Support: 9.2

tomcat (Red Hat package): All versions

CPE2.3

• cpe:2.3:o:red_hat:red_hat_enterprise_linux_server_-_aus:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_arm_64_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:a:red_hat:red_hat_enterprise_linux_server_for_ibm_power_le_-_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*
• cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_x86_64_-_extended_update_support:9.2:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:a:red_hat:tomcat_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*

External links

https://access.redhat.com/errata/RHSA-2025:3646

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.