我要评论apache tomcat 远程代码执行漏洞(cve-2025-24813)
tomcat 是一个开源的、轻量级的 web 应用服务器 和 servlet 容器。它由 apache 软件基金会下的 jakarta 项目开发,是目前最流行的 java web 服务器之一。
该漏洞利用条件较为复杂,需同时满足以下四个条件:
- 应用程序启用了 defaultservlet 写入功能,该功能默认关闭。
- 应用支持了 partial put 请求,能够将恶意的序列化数据写入到会话文件中,该功能默认开启。
- 应用使用了 tomcat 的文件会话持久化并且使用了默认的会话存储位置,需要额外配置。
- 应用中包含一个存在反序列化漏洞的库,比如存在于类路径下的 commons-collections,此条件取决于业务实现是否依赖存在反序列化利用链的库。
漏洞威胁等级:高危
受影响的版本
11.0.0-m1 <= apache tomcat <= 11.0.2
10.1.0-m1 <= apache tomcat <= 10.1.34
9.0.0.m1 <= apache tomcat <= 9.0.98
安全版本
apache tomcat >= 11.0.3
apache tomcat >= 10.1.35
apache tomcat >= 9.0.99
关键配置
项目结构
demo_project ├─module │ ├─src │ │ └─main | └─pom.xml └─pom.xml
项目根路径下的 pom.xml
<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/pom/4.0.0"
xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
xsi:schemalocation="http://maven.apache.org/pom/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelversion>4.0.0</modelversion>
<groupid>cn.demo</groupid>
<artifactid>demo</artifactid>
<version>1.0.0</version>
<name>demo</name>
<description>demo</description>
<properties>
<demo.version>1.0.0</demo.version>
<project.build.sourceencoding>utf-8</project.build.sourceencoding>
<project.reporting.outputencoding>utf-8</project.reporting.outputencoding>
<java.version>1.8</java.version>
<tomcat.version>9.0.99</tomcat.version>
<jakarta.annotation-api.version>1.3.5</jakarta.annotation-api.version>
</properties>
<!-- 依赖声明 -->
<dependencymanagement>
<dependencies>
<!-- springboot的依赖配置-->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-dependencies</artifactid>
<version>2.5.14</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- 解决apache tomcat 远程代码执行漏洞(cve-2025-24813)-->
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-core</artifactid>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-el</artifactid>
<version>${tomcat.version}</version>
</dependency>
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-websocket</artifactid>
<version>${tomcat.version}</version>
<exclusions>
<exclusion>
<artifactid>tomcat-annotations-api</artifactid>
<groupid>org.apache.tomcat</groupid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>jakarta.annotation</groupid>
<artifactid>jakarta.annotation-api</artifactid>
<version>${jakarta.annotation-api.version}</version>
</dependency>
</dependencies>
</dependencymanagement>
<modules>
<module>module</module>
</modules>
<packaging>pom</packaging>
<dependencies>
</dependencies>
<build>
<plugins>
<plugin>
<groupid>org.apache.maven.plugins</groupid>
<artifactid>maven-compiler-plugin</artifactid>
<version>3.8.1</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
<encoding>${project.build.sourceencoding}</encoding>
<parameters>true</parameters>
</configuration>
</plugin>
</plugins>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</resource>
</resources>
</build>
</project>
module 目录下的 pom.xml
<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/pom/4.0.0"
xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
xsi:schemalocation="http://maven.apache.org/pom/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactid>demo</artifactid>
<groupid>cn.demo</groupid>
<version>1.0.0</version>
</parent>
<modelversion>4.0.0</modelversion>
<artifactid>module</artifactid>
<description>
module模块
</description>
<dependencies>
<!-- springboot web容器 -->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-web</artifactid>
<exclusions>
<exclusion>
<groupid>org.apache.logging.log4j</groupid>
<artifactid>log4j-api</artifactid>
</exclusion>
<exclusion>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-tomcat</artifactid>
</exclusion>
</exclusions>
</dependency>
<!-- websocket -->
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-websocket</artifactid>
<exclusions>
<exclusion>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-tomcat</artifactid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-core</artifactid>
<exclusions>
<exclusion>
<artifactid>tomcat-annotations-api</artifactid>
<groupid>org.apache.tomcat</groupid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-el</artifactid>
</dependency>
<dependency>
<groupid>org.apache.tomcat.embed</groupid>
<artifactid>tomcat-embed-websocket</artifactid>
<exclusions>
<exclusion>
<artifactid>tomcat-annotations-api</artifactid>
<groupid>org.apache.tomcat</groupid>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupid>jakarta.annotation</groupid>
<artifactid>jakarta.annotation-api</artifactid>
</dependency>
</dependencies>
</project>
参考文献
到此这篇关于springboot tomcat漏洞修复的解决方法的文章就介绍到这了,更多相关springboot tomcat漏洞修复内容请搜索代码网以前的文章或继续浏览下面的相关文章希望大家以后多多支持代码网!
发表评论