{"id":2733612,"date":"2025-03-19T12:35:54","date_gmt":"2025-03-19T19:35:54","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=2733612"},"modified":"2025-05-27T15:08:37","modified_gmt":"2025-05-27T22:08:37","slug":"recent-apache-tomcat-rce-vulnerabilities","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities","title":{"rendered":"Recent Apache Tomcat RCE Vulnerabilities"},"author":5311,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,24071,241722,778842],"industry":[],"product":[763582],"class_list":["post-2733612","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-security","tag-ssamlymlgp","tag-tomcat","product-trust-arcgis"],"acf":{"short_description":"Recent media-hyped Apache Tomcat vulnerabilities NOT exploitable in ArcGIS Enterprise","flexible_content":[{"acf_fc_layout":"content","content":"<p>There has been a recent string of media-hyped open-source component vulnerabilities in <a href=\"https:\/\/tomcat.apache.org\/security-11.htm\">Apache Tomcat<\/a> over the last several weeks. One of these (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-24813\">CVE-2025-24813<\/a>) is receiving heightened scrutiny because it is reported as having been exploited in the wild just a few days after a proof-of-concept was released.<\/p>\n<p>In addition to <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-24813\">CVE-2025-24813<\/a>, other recently created, similar Tomcat vulnerabilities include <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-50379\">CVE-2024-50379<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-56337\">CVE-2024-56337<\/a><\/p>\n<p>While Apache Tomcat is shipped in each server component of ArcGIS Enterprise, we have validated that ArcGIS Enterprise is not vulnerable to any of these three issues because ArcGIS Enterprise software does not meet the requirements for exploit.<\/p>\n<p>Specifically, ArcGIS Enterprise does not enable the non-default write operation on the default Tomcat servlet, <strong>which is the first requirement for exploiting any of these CVEs.<\/strong> Without explicitly enabling this option, these three CVEs are <strong>not exploitable<\/strong> in Apache Tomcat.<\/p>\n<p>A security scanner run against ArcGIS Enterprise may incorrectly flag these issues as a concern.\u00a0 This is because some security scanners may detect a vulnerable version of Apache Tomcat, however we have confirmed that Tomcat is not used a way that would make it vulnerable to these CVEs.<\/p>\n<p>With that said, users who deploy the ArcGIS Web Adaptor for Java using Tomcat should take the time to validate in their Tomcat installs if the \u00a0non-default write operation on the default servlet is enabled, check to see if the PUT method is enabled, and plan to upgrade to an unaffected version of Tomcat.<\/p>\n<ul>\n<li>Esri Software Security &amp; Privacy<\/li>\n<\/ul>\n"}],"related_articles":"","authors":[{"ID":5311,"user_firstname":"Randall","user_lastname":"Williams","nickname":"Randall Williams","user_nicename":"randallwilliams","display_name":"Randall Williams","user_email":"randall_williams@esri.com","user_url":"https:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:17:03","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"show_article_image":false,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/03\/Apache-Tomcat-768x486-1-e1742412883613.png","wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Recent Apache Tomcat RCE Vulnerabilities<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Recent Apache Tomcat RCE Vulnerabilities\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-27T22:08:37+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\"},\"author\":{\"name\":\"Randall Williams\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\"},\"headline\":\"Recent Apache Tomcat RCE Vulnerabilities\",\"datePublished\":\"2025-03-19T19:35:54+00:00\",\"dateModified\":\"2025-05-27T22:08:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\"},\"wordCount\":5,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"Security\",\"SSAMLYMLGP\",\"Tomcat\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\",\"name\":\"Recent Apache Tomcat RCE Vulnerabilities\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2025-03-19T19:35:54+00:00\",\"dateModified\":\"2025-05-27T22:08:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Recent Apache Tomcat RCE Vulnerabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959\",\"name\":\"Randall Williams\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png\",\"caption\":\"Randall Williams\"},\"sameAs\":[\"https:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Recent Apache Tomcat RCE Vulnerabilities","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities","og_locale":"en_US","og_type":"article","og_title":"Recent Apache Tomcat RCE Vulnerabilities","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2025-05-27T22:08:37+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities"},"author":{"name":"Randall Williams","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959"},"headline":"Recent Apache Tomcat RCE Vulnerabilities","datePublished":"2025-03-19T19:35:54+00:00","dateModified":"2025-05-27T22:08:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities"},"wordCount":5,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","Security","SSAMLYMLGP","Tomcat"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities","name":"Recent Apache Tomcat RCE Vulnerabilities","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2025-03-19T19:35:54+00:00","dateModified":"2025-05-27T22:08:37+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/recent-apache-tomcat-rce-vulnerabilities#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Recent Apache Tomcat RCE Vulnerabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/6257d65f342fee9c48e7f16f9a428959","name":"Randall Williams","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/08\/softwaresecurity.png","caption":"Randall Williams"},"sameAs":["https:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams"}]}},"text_date":"March 19, 2025","author_name":"Randall Williams","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/randallwilliams","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":124,"filter":"raw"},{"term_id":241722,"name":"SSAMLYMLGP","slug":"ssamlymlgp","term_group":0,"term_taxonomy_id":241722,"taxonomy":"post_tag","description":"","parent":0,"count":25,"filter":"raw"},{"term_id":778842,"name":"Tomcat","slug":"tomcat","term_group":0,"term_taxonomy_id":778842,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":422,"filter":"raw"}],"product_data":[{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":86,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2733612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/5311"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=2733612"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2733612\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=2733612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=2733612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=2733612"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=2733612"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=2733612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}