Skip to main content

Latest information on the vulnerability in Tomcat in the context of UT for ArcGIS

Updated

VertiGIS uses this page to provide key information about the following vulnerabilities in Apache Tomcat 9 and their impact on products in the UT for ArcGIS product family.

  • CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

    The vulnerability affects Tomcat 9 up to version 9.0.98

This article will be updated as soon as new information is available.

 

Further information

In products in the context of UT for ArcGIS that use Tomcat 9, the conditions for the vulnerability are usually not given. However, this should be checked if necessary.

If all of the following were true, a malicious user was able to view security 
sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a 
  target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote 
code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the 
  default storage location
- application included a library that may be leveraged in a deserialization 
  attack

Source: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq 

The use of recent versions of Tomcat 9 is possible in principle. As a rule, only Tomcat 9 or a minimum version that has been tested is specified as a system requirement. Explicit tests with new Tomcat versions for already released versions of our products are not carried out. If problems become known, we look into them and try to provide solutions promptly.

Using Tomcat 10 or Tomcat 11 is not possible.

 

Related products

  • UT CBYD
    We are currently not aware of any problems when using Tomcat 9.0.99 or higher.
  • WMPS
    We are currently not aware of any problems when using Tomcat 9.0.99 or higher.
  • UT AppConnector
    When using Tomcat 9 with version number 9.0.88 or higher, UT Desktop Suite with build 6807 or higher must be used if communication is to take place via a secure connection (wss://). We are currently not aware of any other problems when using Tomcat 9.0.99 or higher.
  • UT Integrator
    We are currently not aware of any problems when using Tomcat 9.0.99 or higher.
  • UTJSC
    When using Tomcat 9 with version number 9.0.88, UTJSC_4.2.2397.Patch2 must also be installed. The patch is available via the Baral customer portal or can be provided via the transfer portal. We are currently not aware of any other problems when using Tomcat 9.0.99 or higher.

Related articles

Comments

0 comments

Please sign in to leave a comment.