An update for tomcat is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1226 Final 1.0 1.0 2025-02-28 Initial 2025-02-28 2025-02-28 openEuler SA Tool V1.0 2025-02-28 tomcat security update An update for tomcat is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3 The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project Security Fix(es): Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.(CVE-2024-56337) An update for tomcat is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical tomcat https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1226 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-56337 https://nvd.nist.gov/vuln/detail/CVE-2024-56337 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 tomcat-9.0.100-1.oe2203sp4.src.rpm tomcat-9.0.100-1.oe2403.src.rpm tomcat-9.0.100-1.oe2403sp1.src.rpm tomcat-9.0.100-1.oe2003sp4.src.rpm tomcat-9.0.100-1.oe2203sp3.src.rpm tomcat-9.0.100-1.oe2203sp4.noarch.rpm tomcat-help-9.0.100-1.oe2203sp4.noarch.rpm tomcat-jsvc-9.0.100-1.oe2203sp4.noarch.rpm tomcat-9.0.100-1.oe2403.noarch.rpm tomcat-help-9.0.100-1.oe2403.noarch.rpm tomcat-jsvc-9.0.100-1.oe2403.noarch.rpm tomcat-9.0.100-1.oe2403sp1.noarch.rpm tomcat-help-9.0.100-1.oe2403sp1.noarch.rpm tomcat-jsvc-9.0.100-1.oe2403sp1.noarch.rpm tomcat-9.0.100-1.oe2003sp4.noarch.rpm tomcat-help-9.0.100-1.oe2003sp4.noarch.rpm tomcat-jsvc-9.0.100-1.oe2003sp4.noarch.rpm tomcat-9.0.100-1.oe2203sp3.noarch.rpm tomcat-help-9.0.100-1.oe2203sp3.noarch.rpm tomcat-jsvc-9.0.100-1.oe2203sp3.noarch.rpm Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can. 2025-02-28 CVE-2024-56337 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H tomcat security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1226