Last updated date: 21st March 2025
Advisory publication date: 21st March 2025
Summary
This advisory provides analysis of vulnerabilities in Apache Tomcat application server that attackers can exploit to allow Remote Code Execution (RCE) or Information Disclosure. This advisory provides details of critical vulnerability CVE-2025-24813, unrated (possibly critical) vulnerability CVE-2024-56337, and unrated (possibly critical) vulnerability CVE-2024-50379.
CloverDX Server is not affected by these vulnerabilities unless you change the default settings of your host Apache Tomcat container. Please see below for the additional discussion.
Am I affected?
All supported versions of CloverDX can be installed into vulnerable versions of Apache Tomcat. Additionally, all supported versions of CloverDX contain Embedded Apache Tomcat which is also vulnerable to the listed vulnerabilities. However, the embedded instance of Tomcat cannot be exploited – see more detail below in Embedded Tomcat is not affected section.
Note that even if CloverDX is deployed into vulnerable Apache Tomcat version, it is not affected by these vulnerabilities in the default configuration across all deployment models (i.e., manual installation, Docker Hub image and cloud offers in AWS and Azure) and across all versions.
These vulnerabilities can only be exploited if the Tomcat initialization parameter called readonly was set to false (with the default value being true) for the default servlet. To see if you are affected if you have deployed CloverDX into vulnerable versions of Apache Tomcat you can look at Tomcat’s initialization parameters.
The configuration parameters can be found in the web.xml configuration file in your Tomcat installation. Look for the configuration of the default servlet by searching for <servlet-name>default</servlet-name>. The default configuration does not explicitly configure readonly parameter (hence it uses the default value of true) and looks like this:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
You may be vulnerable to these vulnerabilities if you have a parameter called readonly defined and its value is explicitly set to false like this:
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
Note that you may not be vulnerable even if you changed the default configuration as the readonly parameter setting is a required condition for the vulnerabilities to work, but it is not the only condition that must be satisfied (see below for more details of each vulnerability).
CVE ID(s)
- CVE-2025-24813
- CVE-2024-56337
- CVE-2024-50379
Affected product versions
- CloverDX 6.7.x
- CloverDX 6.6.x
- CloverDX 6.5.x
- CloverDX 6.4.x
- CloverDX 6.3.x or older – these product versions are Retired or End of Life and longer receive security fixes. However, you can verify if you are affected in the same way as for the supported versions of CloverDX.
Vulnerabilities
CVE-2025-24813: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet.
The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack.
This issue affects Tomcat versions 9.0.0.M1 to 9.0.98. Other affected versions of Tomcat – 10.x and 11.x – are not relevant to currently supported versions of CloverDX as CloverDX does not run on these versions of Tomcat.
- CVE details: CVE-2025-24813 (NVD)
- Severity: critical
- CVSS 3.1 score: 9.8
- CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-56337: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete.
The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 9.0.98 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used:
- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further config
The issue affects Tomcat versions 9.0.0.M1 to 9.0.97. Other affected versions of Tomcat – 10.x and 11.x – are not relevant to currently supported versions of CloverDX as CloverDX does not run on these versions of Tomcat.
- CVE details: CVE-2024-56337 (NVD)
- Severity: critical
- CVSS 3.1 score: unrated by NVD, CISA-ADP score 9.8
- CVSS 3.1 vector: CISA-ADP CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-50379: Remote Code Execution via write enabled Default Servlet.
If the default servlet is write-enabled (readonly initialization parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
The issue affects Tomcat versions 9.0.0.M1 to 9.0.97. Other affected versions of Tomcat – 10.x and 11.x – are not relevant to currently supported versions of CloverDX as CloverDX does not run on these versions of Tomcat.
- CVE details: CVE-2024-50379 (NVD)
- Severity: critical
- CVSS 3.1 score: not rated by NVD, CISA-ADP score 9.8
- CVSS 3.1 vector: CISA-ADP CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Embedded Tomcat is not affected
CloverDX Server bundles its own Embedded Apache Tomcat instance which is used to serve Data Services and other APIs. Depending on your version of CloverDX, this embedded Tomcat is version 9.0.85 (in CloverDX 6.4.0) to 9.0.88 (CloverDX 6.7.1).
Even though these versions are vulnerable, they are never affected by these vulnerabilities. Instances of the Embedded Tomcat are created by CloverDX Server with the readonly parameter in its default value (which is true). This is hard-coded and there is no way to change it (CloverDX Server does not expose any interface that would allow changing initialization parameters of Embedded Tomcat instances).
As such, the reports of Embedded Tomcat can be considered false positives.
Nevertheless, we will be releasing updated bugfix versions of CloverDX which will contain a version of Apache Tomcat that is not affected by these vulnerabilities. We will update this advisory once these bugfixes are available.
What you need to do
- 6.4.x or newer users – upgrade you Apache Tomcat to a version that is not vulnerable (Apache Tomcat 9.0.99 or newer). Note that you can only use Tomcat 9 since CloverDX 6 does not support Tomcat 10 or Tomcat 11.
- 6.0.x to 6.3.2 users – these versions are retired and no longer receive security fixes. We recommend you upgrade your CloverDX to the latest version and upgrade your Apache Tomcat to a version that is not vulnerable (Tomcat 9.0.99 or newer). Note that you can only use Tomcat 9 since CloverDX 6 does not support Tomcat 10 or Tomcat 11.
- Older versions – these versions are End of Life and no longer eligible for support. We recommend you upgrade your CloverDX to the latest version and upgrade your Apache Tomcat to a version that is not vulnerable (Tomcat 9.0.99 or newer). Note that you can only use Tomcat 9 since CloverDX 5 does not support Tomcat 10 or Tomcat 11.
Mitigation
Upgrade your Apache Tomcat application to a version that is not vulnerable.
You can run all affected versions of CloverDX on a version of Tomcat that is not vulnerable to the listed vulnerabilities. You can use Tomcat 9 newer that 9.0.99 – at the time of writing this advisory the latest version of Tomcat was 9.0.102.
You can also explicitly set the readonly initialization parameter in Tomcat’s web.xml to true by adding a section like this to the default servlet configuration:
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
Support
If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.
If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.
References
Update history
- 2025-03-21 – This advisory was first published.
Comments 0