Tanzu Security Advisory - CVE-2025-24813

VMware Tanzu Application Service

3 more products

25536

25 March 2025

25 March 2025

CLOSED

HIGH

7.7

CVE-2025-24813

CVE-2025-24813 - Tanzu

Advisory ID:

TNZ-2025-014

Severity:

High

CVSSv3 NVD:

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CVSS Base Score: 9.8

Impact Subscore: 5.9

Exploitability Subscore: 3.9

CVSS Temporal Score: NA

CVSS Environmental Score: NA

Modified Impact Subscore: NA

Overall CVSS Score: 9.8

CVSSv3 Tanzu:

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H


CVSS Base Score: 9.8

Impact Subscore: 5.9

Exploitability Subscore: 3.9

CVSS Temporal Score: 9.4

CVSS Environmental Score: 7.7

Modified Impact Subscore: 5.9

Overall CVSS Score: 7.7

Issue Date:

2025-03-25

Updated on:

2025-03-25

CVE(s)

CVE-2025-24813

Synopsis

CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialization.

Upstream OSS Advisory Link:
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

Tanzu Details

Tanzu Platform for Cloud Foundry is a complex platform with many components generally installed on private networks.  Tanzu updated the CVSSv3 calculator with the following changes:

  • Temporal Score Metrics
    • Exploit Code Maturity: High - Proof-of-concept (PoC) exploit code is publicly available with rumor of exploits and v​​elociraptor (VQL) artifact is also available that can be used to hunt Tomcat log paths for exceptions associated with exploitation.
    • Remediation Level: Tomcat has official fixes
    • Report Confidence: Confirmed vulnerability details 
  • Environmental Score Metrics
    • Modified attack complexity is the only value changed from the original CVSS score. As Tanzu Platform is a complex product with many services and generally run on secured internal networks, Tanzu changed the attack complexity to High from Low.

 

The advisory requires that "writes enabled for the default servlet (disabled by default)" for the exploit to be effective.

 

All Tanzu Platform for Cloud Foundry components do not enable writes for the default servlet which is required to be vulnerable; this is a False Positive on all versions of Tanzu Platform for Cloud Foundry.

 

Tanzu Platform for Cloud Foundry component impact:

UAA

UAA does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive. Upgrading to UAA v77.20.3  addresses the detection logic to prevent false positives, but no actual security vulnerability exists in the current setup.


Included in TPCF releases: 10.0.3, 6.0.13, 4.0.33

Credhub

Credhub does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

cf-autoscaler

cf-autoscaler does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

pcf-scheduler

pcf-scheduler does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

java-offline-buildpacks

Java Buildpack v2, from version 4.79.0, includes non-vulnerable versions of Tomcat

-> Tomcat 10.1.35 

-> Tomcat 9.0.10


Included in TPCF releases: 10.0.3, 6.0.13, 4.0.33


Alternatively, you can download the latest Java Buildpack from Broadcom Support Portal and either override the default buildpack version or manually set buildpack used by the application.    

Spring Cloud Dataflow

Spring Cloud Dataflow (p-dataflow) does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

Spring Cloud Services

Spring Cloud Services (SCS) does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

tanzu-ai-server

Tanzu AI Server does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

BOSH / OpsManager

BOSH/Ops Manager does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. 


This is a false positive

Tanzu Platform for Cloud Foundry Versions Affected

  • All Tanzu Platform for Cloud Foundry components do not enable writes for the default servlet which is required to be vulnerable; this is a False Positive on all versions of Tanzu Platform for Cloud Foundry.
  • Developers can use java buildpacks before 4.79.0 to build applications that could be vulnerable. Upgrading TPCF or buildpacks and rebuilding applications if using tomcat and default servlet is recommended.
  • All releases thru Tanzu Platform for Cloud Foundry Releases 10.0.2, 6.0.12+LTS-T, 4.0.32+LTS-T will report the vulnerability but it is a False Positive.
  • Tanzu Platform for Cloud Foundry Releases 10.0.3, 6.0.13+LTS-T, 4.0.33+LTS-T contain the updated Tomcat for UAA.  The next GA release for Tanzu Platform for Cloud Foundry and BOSH/Ops Manager will include the updated Tomcat for remaining components.
  • Upgrading addresses the detection logic to prevent false positives, but no actual security vulnerability exists in Tanzu Platform for Cloud Foundry.

MySQL Tile Versions Affected

  • MySQL tile previously contained a spring app smoke test. The spring app (which was only ever used for a smoke-test) was removed in version 2.10.12 of the tile. This is a false positive that will no longer be reported in 2.10.12

Spring Boot Versions Affected

TKGi Server Versions Affected

  • Affected thru TKGi Release 1.22.0
  • Unaffected from TKGi Release 1.22.1
  • TKGi UAA does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813.  This is a false positive
  • Upgrading to UAA v77.20.3  addresses the detection logic to prevent false positives, but no actual security vulnerability exists in the current setup.

Tanzu Data Management Console

  • rabbitmq-connector-service uses spring boot which does not enable the default servlet nor configure it with read-only disabled; which is required to be vulnerable to CVE-2025-24813.  
  • This is a false positive

History

2025-03-25: Initial vulnerability report published.

Contact

E-mail: [email protected]

VMware Tanzu Security Advisories
https://support.broadcom.com/group/ecx/security-advisory?segment=VT