Описание
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
A flaw was found in Tomcat. A Time-of-check Time-of-use (TOCTOU) race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code execution.
Отчет
This flaw can only be exploited when the readonly initialization parameter value is set to false, when running on case insensitive file systems and when the application is under load, specifically when read and upload operations are performed on the same file simultaneously.
The default readonly initialization parameter value is true and not vulnerable to this issue.
Due to the conditions for this issue to be exploited, especially because it requires unlikely configurations, this flaw has been rated with a Moderate severity.
The Tomcat package as shipped in Red Hat Enterprise Linux 6 and 7 is not affected by this vulnerability because the vulnerable code was introduced in a newer Tomcat version.
Red Hat Satellite is not directed impacted by this issue as it does not include the affected Tomcat package. However, Tomcat is consumed by Candlepin, a component of Satellite. Red Hat Satellite users are advised to check the impact state of Red Hat Enterprise Linux as any necessary fixes will be distributed through the platform.
Меры по смягчению последствий
Consider setting the readonly initialization parameter value to true (the default value), if that is not possible, do not use a case-insensitive file system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | tomcat | Affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Affected | ||
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2025:3683 | 08.04.2025 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | tomcat | Fixed | RHSA-2025:3684 | 08.04.2025 |
| Red Hat Enterprise Linux 9 | tomcat | Fixed | RHSA-2025:3645 | 07.04.2025 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | pki-servlet-engine | Fixed | RHSA-2025:1920 | 27.02.2025 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | tomcat | Fixed | RHSA-2025:3646 | 07.04.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during ...
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Уязвимость сервлета DefaultServlet сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код
EPSS
8.1 High
CVSS3