Tanzu Security Advisory - CVE-2025-24813
25536
25 March 2025
25 March 2025
CLOSED
HIGH
7.7
CVE-2025-24813
CVE-2025-24813 - Tanzu
Advisory ID: |
TNZ-2025-014 |
Severity: |
High |
CVSSv3 NVD: |
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - CVSS Base Score: 9.8 Impact Subscore: 5.9 Exploitability Subscore: 3.9 CVSS Temporal Score: NA CVSS Environmental Score: NA Modified Impact Subscore: NA Overall CVSS Score: 9.8 |
CVSSv3 Tanzu: |
CVSS Base Score: 9.8 Impact Subscore: 5.9 Exploitability Subscore: 3.9 CVSS Temporal Score: 9.4 CVSS Environmental Score: 7.7 Modified Impact Subscore: 5.9 Overall CVSS Score: 7.7 |
Issue Date: |
2025-03-25 |
Updated on: |
2025-03-25 |
CVE(s) |
CVE-2025-24813 |
Synopsis |
CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialization. |
Upstream OSS Advisory Link:
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
Tanzu Details
Tanzu Platform for Cloud Foundry is a complex platform with many components generally installed on private networks. Tanzu updated the CVSSv3 calculator with the following changes:
- Temporal Score Metrics
- Exploit Code Maturity: High - Proof-of-concept (PoC) exploit code is publicly available with rumor of exploits and velociraptor (VQL) artifact is also available that can be used to hunt Tomcat log paths for exceptions associated with exploitation.
- Remediation Level: Tomcat has official fixes
- Report Confidence: Confirmed vulnerability details
- Environmental Score Metrics
- Modified attack complexity is the only value changed from the original CVSS score. As Tanzu Platform is a complex product with many services and generally run on secured internal networks, Tanzu changed the attack complexity to High from Low.
The advisory requires that "writes enabled for the default servlet (disabled by default)" for the exploit to be effective.
All Tanzu Platform for Cloud Foundry components do not enable writes for the default servlet which is required to be vulnerable; this is a False Positive on all versions of Tanzu Platform for Cloud Foundry.
Tanzu Platform for Cloud Foundry component impact:
UAA |
UAA does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. Upgrading to UAA v77.20.3 addresses the detection logic to prevent false positives, but no actual security vulnerability exists in the current setup. Included in TPCF releases: 10.0.3, 6.0.13, 4.0.33 |
Credhub |
Credhub does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
cf-autoscaler |
cf-autoscaler does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
pcf-scheduler |
pcf-scheduler does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
java-offline-buildpacks |
Java Buildpack v2, from version 4.79.0, includes non-vulnerable versions of Tomcat -> Tomcat 10.1.35 -> Tomcat 9.0.10 Included in TPCF releases: 10.0.3, 6.0.13, 4.0.33 Alternatively, you can download the latest Java Buildpack from Broadcom Support Portal and either override the default buildpack version or manually set buildpack used by the application. |
Spring Cloud Dataflow |
Spring Cloud Dataflow (p-dataflow) does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
Spring Cloud Services |
Spring Cloud Services (SCS) does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
tanzu-ai-server |
Tanzu AI Server does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
BOSH / OpsManager |
BOSH/Ops Manager does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive. |
Tanzu Platform for Cloud Foundry Versions Affected
- All Tanzu Platform for Cloud Foundry components do not enable writes for the default servlet which is required to be vulnerable; this is a False Positive on all versions of Tanzu Platform for Cloud Foundry.
- Developers can use java buildpacks before 4.79.0 to build applications that could be vulnerable. Upgrading TPCF or buildpacks and rebuilding applications if using tomcat and default servlet is recommended.
- All releases thru Tanzu Platform for Cloud Foundry Releases 10.0.2, 6.0.12+LTS-T, 4.0.32+LTS-T will report the vulnerability but it is a False Positive.
- Tanzu Platform for Cloud Foundry Releases 10.0.3, 6.0.13+LTS-T, 4.0.33+LTS-T contain the updated Tomcat for UAA. The next GA release for Tanzu Platform for Cloud Foundry and BOSH/Ops Manager will include the updated Tomcat for remaining components.
- Upgrading addresses the detection logic to prevent false positives, but no actual security vulnerability exists in Tanzu Platform for Cloud Foundry.
MySQL Tile Versions Affected
- MySQL tile previously contained a spring app smoke test. The spring app (which was only ever used for a smoke-test) was removed in version 2.10.12 of the tile. This is a false positive that will no longer be reported in 2.10.12
Spring Boot Versions Affected
- Spring Boot does not use the parameters required by the vulnerability, and does not use Tomcat's default servlet at all by default. Because of this configuration, this is a false positive.
- For the CVE to affect Spring boot tomcat, the user would have to set server.servlet.register-default-servlet=true for it to be there and they then still have to customize it to make it writable."
- You have 3 options to remediate this CVE-2025-24813
- Option 1. You can upgrade to Spring Boot 3.2.13 which has Tomcat 10.1.36 https://packages.broadcom.com/artifactory/spring-enterprise/org/springframework/boot/spring-boot-dependencies/3.2.13/spring-boot-dependencies-3.2.13.pom
- Option 2. Upgrade to Spring Boot 3.3.9 which has Tomcat 10.1.36 https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.3.9/spring-boot-dependencies-3.3.9.pom
- Option 3. Add the following dependencies with tomcat.version 10.1.35 or higher <tomcat.version>10.1.35</tomcat.version>
TKGi Server Versions Affected
- Affected thru TKGi Release 1.22.0
- Unaffected from TKGi Release 1.22.1
- TKGi UAA does not enable writes for the default servlet which is required to be vulnerable to CVE-2025-24813. This is a false positive.
- Upgrading to UAA v77.20.3 addresses the detection logic to prevent false positives, but no actual security vulnerability exists in the current setup.
Tanzu Data Management Console
- rabbitmq-connector-service uses spring boot which does not enable the default servlet nor configure it with read-only disabled; which is required to be vulnerable to CVE-2025-24813.
- This is a false positive.
History
2025-03-25: Initial vulnerability report published.
Contact
E-mail: [email protected]
VMware Tanzu Security Advisories
https://support.broadcom.com/group/ecx/security-advisory?segment=VT