Skip to main content
Waters Employee Login
 
Waters

Should I be concerned about the Exploitation of Apache Tomcat Vulnerability CVE-2025-24813 - WKB310198

  1. Last updated
  2. Save as PDF
Article number: 310198

ENVIRONMENT

  • waters_connect 4.0.0 LTS and earlier

ANSWER

These files are not used by our product, but we do need to keep and deploy them as are needed when a new patch is applied (all the binaries need to be present on the machine).

However, this analysis of the risk suggests that the configuration that would be exploitable is relatively uncommon so the threat may not be significant. 

Here is the requirements for a potential exploitation and the link to the site

Exploitability requirements

Per the advisory, an attacker could view security sensitive files and/or inject content into those files if ALL of the following were true:

  • writes enabled for the default servlet (disabled by default)
  • support for partial PUT (enabled by default)
  • a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)
  • attacker knowledge of the names of security sensitive files being uploaded (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)
  • the security sensitive files also being uploaded via partial PUT (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)

An attacker could achieve remote code execution if ALL of the following were true:

  • writes enabled for the default servlet (disabled by default)
  • support for partial PUT (enabled by default)
  • application was using Tomcat's file-based session persistence (ed: disabled by default) with the default storage location
  • application included a library that may be leveraged in a deserialization attack (ed: this is the case for many Java applications)

Based of this we suggest the following actions:

  1. Disable the exploitability requirements so that it won’t manifest based on the article
  2. Quarantine the files as they are not used by waters_connect but do not delete them as In-place-upgrades might fail to a later version

ADDITIONAL INFORMATION

Not able to find a solution? Click here to request help.