Administration and Deployment

Since this is a question directly to the vendor, I suggest that you open a track to tech support or contact your accont responsible.

Hi,

Apparently the installation is vulnerable only if the "readonly" parameter in the Tomcat's "web.xml" is changed to "false" from it's default value of "true".

Is our Tomcat susceptible to CVE-2025-24813?

 Solution Verified - Updated March 21 2025 at 3:15 PM - 

English 

Environment

• JBoss Web Server
  • 5.x
  • 6.
• Red Hat Enterprise Linux
  • 8.x
  • 9.x
  • 10.x
• Red Hat Satellite
• Red Hat Identity Management
• Tomcat
  • 9.0.x
  • 10.1.x

Issue

• Security reports are raising concerns about CVE-2025-24813 for our Tomcat version and requesting we upgrade. Are we truly susceptible?

Resolution

• The impact of this vulnerability is heavily limited to non-default configurations that are not typically used.
• If the readonly flag of the DefaultServlet on theweb.xml is not changed to false (its default of true is safe), then there is no impact. That would have to be added in a block like below of the tomcat or a webapp's web.xml:

Raw

    <servlet>

        <servlet-name>default</servlet-name>

        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

        <init-param>

            <param-name>debug</param-name>

            <param-value>0</param-value>

        </init-param>

        <init-param>

            <param-name>listings</param-name>

            <param-value>false</param-value>

        </init-param>

        <init-param>

            <param-name>readonly</param-name>

            <param-value>false</param-value>

        </init-param>

        <load-on-startup>1</load-on-startup>

    </servlet>

• If installed from a RHEL tomcat package, you could use a simple check like below to see if there is any line added to change the parameter at all:

Raw

$ grep readonly /etc/tomcat/web.xml | grep -v "<\!--"

• Or if a JWS zip install:
  line added to change the parameter at all:

Raw

$ grep readonly /path/to/JWS_HOME/tomcat/conf/web.xml | grep -v "<\!--"

• You may also check any deployed custom apps and their WEB-INF/web.xml for any modifications of their own:

Raw

$ grep readonly /path/to/webappname/WEB-INF/web.xml | grep -v "<\!--"

Your block is missing the 'readonly' parameter but if you look at the comments somewhere above in the file you'll find the following:

<!-- readonly Is this context "read only", so HTTP -->

<!-- commands like PUT and DELETE are -->

<!-- rejected? [true] -->

[true] is the default value so you should be ok.

You only need to change the file in:  \SASConfig\Lev1\Web\WebAppServer\SASServer1_1\conf

Since the parameter is not modified and it already has the default value of "true" you don't have to change anything.

As already mentioned earlier, please report this to SAS Support and further assistance can then be provided. Thanks.