Applications Manager and Tomcat vulnerability CVE-2025-24813
Article ID: 391783
Updated On:
Products
Issue/Introduction
More information regarding vulnerability can be found below:
https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Is Tomcat, which is used by Applications Manager, vulnerable to CVE-2025-24813?
Environment
Applications Manager 9.5.x, 9.6.x
Resolution
Applications Manager is not vulnerable to CVE-2025-24813.
Applications Manager 9.5.x ships Tomcat application along with the product. For version 9.5.x, Tomcat can be upgrade to a fixed version.
Applications Manager 9.6.0 uses embedded Tomcat in the Integrated Web Server, but the environment is vulnerable to CVE-2025-24813 ONLY when the following 4 prerequisites are true:
- Write-enabled default servlet - The
readonlyparameter inconf/web.xmlmust be set tofalse(it'strueby default) - Partial PUT requests enabled - Usually enabled by default
- File-based session storage - Not enabled by default; session files must be saved in standard storage location
- Vulnerable deserialization libraries - Must be present in the classpath
- Since we are shipping our own webserver which uses Tomcat libraries, we need to explicitly write code like the following to enable write on the default servlet. And we don't have such a code.
HttpServlet servlet = new DefaultServlet();
servlet.addInitParameter("readonly", "false"); //explicitly enable write
tomcat.addServlet(ctx, "default", new DefaultServlet()); //add default servlet
ctx.addServletMappingDecoded("/", "default");- Partial PUT requests are disabled. We don't support PUT requests. This can be verified by sending a PUT request. This should return a 403 or 405 error.
curl -X PUT http://amserver.example.net:8080/AMENGINE/classes/Options.properties -d "test"-
We don't use file based session storage. In fact, we don't use sessions at all if APIs are not enabled. Even when APIs are enabled, the sessions are in memory.
Feedback
