The security team has flagged the critical Tomcat vulnerability CVE-2025-24813 in VIP Authentication Hub (1).

Does this vulnerability affect the VIP Authentication Hub 3.3.x product?

Specifically, are these conditions met?

• "writes enabled for the default servlet (disabled by default)";
• "support for partial PUT (enabled by default)".

The Tomcat CVE-2025-24813 vulnerability does not affect the VIP Authentication Hub.

All services within the VIP Authentication Hub use the Jetty server, not Tomcat, except for the Risk/iaservices.

Additionally, the Risk/iaservices container is not vulnerable based on the following analysis:

1. Writes enabled for the default servlet (disabled by default).
   The web.xml file in the iaservices container is read-only, meaning the write flag cannot be enabled;
   
   
2. Support for partial PUT (enabled by default).
   According to the CVE, the FileStore must be enabled in the context.xml.
   However, the context.xml is not available in the iaservices web app and cannot be created.
   Additionally, the context.xml in Tomcat is read-only, and the Tomcat folder deployed within the container is also read-only.

1. CVE-2025-24813 Detail