Our security team have flagged that this Tomcat vulnerability, i.e. CVE-2025-24813, is critical. They have asked if this vulnerability is affecting VIP Authentication Hub 3.3.x product.

Specifically, they have asked if either of these conditions is met:

"writes enabled for the default servlet (disabled by default)"
"support for partial PUT (enabled by default)"

VIP Authentication Hub 3.3.x

We have confirmed that the Tomcat CVE-2025-24813 vulnerability does not affect VIP Authentication Hub.

All services within VIP Authentication Hub use the Jetty server, not Tomcat, except for the Risk/iaservices.

Additionally, the Risk/iaservices container is not vulnerable based on the following analysis:

1. Writes enabled for the default servlet (disabled by default)
   The web.xml file in the iaservices container is read-only, meaning the write flag cannot be enabled.

2. Support for partial PUT (enabled by default)
   According to the CVE, the FileStore must be enabled in the context.xml. However, the context.xml is not available in the iaservices webapp and cannot be created. Additionally, the context.xml in Tomcat is read-only, and the Tomcat folder deployed within the container is also read-only.