topic Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS? in Administration and Deployment

How is Apache Tomcat CVE-2025-24813 addressed by SAS?

ghassanzghaib — Tue, 01 Apr 2025 20:24:42 GMT

Hi,

Is the recent Apache Tomcat vulnerability "CVE-2025-24813" addressed by SAS?

I didn't find anything related to this vulnerability in the SAS Security Bulletins.

Thanks.

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

LinusH — Wed, 02 Apr 2025 06:22:45 GMT

Since this is a question directly to the vendor, I suggest that you open a track to tech support or contact your accont responsible.

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

ghassanzghaib — Wed, 02 Apr 2025 14:15:59 GMT

Hi,

Apparently the installation is vulnerable only if the "readonly" parameter in the Tomcat's "web.xml" is changed to "false" from it's default value of "true".

Is our Tomcat susceptible to CVE-2025-24813?

Solution Verified - Updated March 21 2025 at 3:15 PM -

English

Environment

JBoss Web Server
- 5.x
- 6.
Red Hat Enterprise Linux
- 8.x
- 9.x
- 10.x
Red Hat Satellite
Red Hat Identity Management
Tomcat
- 9.0.x
- 10.1.x

Issue

Security reports are raising concerns about CVE-2025-24813 for our Tomcat version and requesting we upgrade. Are we truly susceptible?

Resolution

The impact of this vulnerability is heavily limited to non-default configurations that are not typically used.
If the readonly flag of the DefaultServlet on theweb.xml is not changed to false (its default of true is safe), then there is no impact. That would have to be added in a block like below of the tomcat or a webapp's web.xml:

Raw

<servlet-name>default</servlet-name>

<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

<init-param>

<param-name>debug</param-name>

<param-value>0</param-value>

</init-param>

<init-param>

<param-name>listings</param-name>

<param-value>false</param-value>

</init-param>

<init-param>

<param-name>readonly</param-name>

<param-value>false</param-value>

</init-param>

<load-on-startup>1</load-on-startup>

</servlet>

If installed from a RHEL tomcat package, you could use a simple check like below to see if there is any line added to change the parameter at all:

Raw

$ grep readonly /etc/tomcat/web.xml | grep -v "<\!--"

Or if a JWS zip install:
line added to change the parameter at all:

Raw

$ grep readonly /path/to/JWS_HOME/tomcat/conf/web.xml | grep -v "<\!--"

You may also check any deployed custom apps and their WEB-INF/web.xml for any modifications of their own:

Raw

$ grep readonly /path/to/webappname/WEB-INF/web.xml | grep -v "<\!--"

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

DJWanna — Mon, 14 Apr 2025 14:52:03 GMT

quick verification ... this is the block that should be changed:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
And as it is now our web server IS vulnerable. Is this to be changed on all web.xml files?

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

DJWanna — Mon, 14 Apr 2025 15:15:44 GMT

Sorry, follow-up question ... would we need to do a rebuild/redeploy of all the web applications? I see that web.xml is in all of the apps.

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

ghassanzghaib — Wed, 16 Apr 2025 12:27:19 GMT

Your block is missing the 'readonly' parameter but if you look at the comments somewhere above in the file you'll find the following:

[true] is the default value so you should be ok.

You only need to change the file in: \SASConfig\Lev1\Web\WebAppServer\SASServer1_1\conf

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

ghassanzghaib — Wed, 16 Apr 2025 12:31:17 GMT

Since the parameter is not modified and it already has the default value of "true" you don't have to change anything.

Re: How is Apache Tomcat CVE-2025-24813 addressed by SAS?

UtkarshGupta — Fri, 18 Apr 2025 13:55:22 GMT

As already mentioned earlier, please report this to SAS Support and further assistance can then be provided. Thanks.