1. Ubuntu Security Notices
  2. USN-7525-1

USN-7525-1: Tomcat vulnerability

Publication date

21 May 2025

Overview

Tomcat could expose sensitive files or run programs if it received specially crafted network traffic.

Releases

Packages

  • tomcat10 - Apache Tomcat 10 - Servlet and JSP engine
  • tomcat9 - Apache Tomcat 9 - Servlet and JSP engine

Details

It was discovered that Apache Tomcat incorrectly implemented partial
PUT functionality by replacing path separators with dots in temporary
files. A remote attacker could possibly use this issue to access
sensitive files, inject malicious content, or execute remote code.

It was discovered that Apache Tomcat incorrectly implemented partial
PUT functionality by replacing path separators with dots in temporary
files. A remote attacker could possibly use this issue to access
sensitive files, inject malicious content, or execute remote code.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
24.04 noble libtomcat10-java –  10.1.16-1ubuntu0.1~esm1  
tomcat10 –  10.1.16-1ubuntu0.1~esm1  
22.04 jammy libtomcat9-java –  9.0.58-1ubuntu0.2+esm2  
tomcat9 –  9.0.58-1ubuntu0.2+esm2  
20.04 focal libtomcat9-java –  9.0.31-1ubuntu0.9+esm1  
tomcat9 –  9.0.31-1ubuntu0.9+esm1  
18.04 bionic libtomcat9-java –  9.0.16-3ubuntu0.18.04.2+esm6  
tomcat9 –  9.0.16-3ubuntu0.18.04.2+esm6  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›