Spring Boot Tomcat 漏洞修复

Spring Boot Tomcat 漏洞修复

Apache Tomcat 远程代码执行漏洞(CVE-2025-24813)

Tomcat 是一个开源的、轻量级的 Web 应用服务器 和 Servlet 容器。它由 Apache 软件基金会下的 Jakarta 项目开发，是目前最流行的 Java Web 服务器之一。

该漏洞利用条件较为复杂，需同时满足以下四个条件：

1. 应用程序启用了 DefaultServlet 写入功能，该功能默认关闭。
2. 应用支持了 partial PUT 请求，能够将恶意的序列化数据写入到会话文件中，该功能默认开启。
3. 应用使用了 Tomcat 的文件会话持久化并且使用了默认的会话存储位置，需要额外配置。
4. 应用中包含一个存在反序列化漏洞的库，比如存在于类路径下的 commons-collections，此条件取决于业务实现是否依赖存在反序列化利用链的库。

漏洞威胁等级：高危

受影响的版本

11.0.0-M1 <= Apache Tomcat <= 11.0.2
10.1.0-M1 <= Apache Tomcat <= 10.1.34
9.0.0.M1 <= Apache Tomcat <= 9.0.98

安全版本

Apache Tomcat >= 11.0.3
Apache Tomcat >= 10.1.35
Apache Tomcat >= 9.0.99

关键配置

项目结构

demo_project
├─module
│  ├─src
│  │  └─main
|  └─pom.xml
└─pom.xml

项目根路径下的 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>cn.demo</groupId><artifactId>demo</artifactId><version>1.0.0</version><name>demo</name><description>demo</description><properties><demo.version>1.0.0</demo.version><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version><tomcat.version>9.0.99</tomcat.version><jakarta.annotation-api.version>1.3.5</jakarta.annotation-api.version></properties><!-- 依赖声明 --><dependencyManagement><dependencies><!-- SpringBoot的依赖配置--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-dependencies</artifactId><version>2.5.14</version><type>pom</type><scope>import</scope></dependency><!-- 解决Apache Tomcat 远程代码执行漏洞(CVE-2025-24813)--><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-core</artifactId><version>${tomcat.version}</version></dependency><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-el</artifactId><version>${tomcat.version}</version></dependency><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-websocket</artifactId><version>${tomcat.version}</version><exclusions><exclusion><artifactId>tomcat-annotations-api</artifactId><groupId>org.apache.tomcat</groupId></exclusion></exclusions></dependency><dependency><groupId>jakarta.annotation</groupId><artifactId>jakarta.annotation-api</artifactId><version>${jakarta.annotation-api.version}</version></dependency></dependencies></dependencyManagement><modules><module>module</module></modules><packaging>pom</packaging><dependencies></dependencies><build><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.8.1</version><configuration><source>${java.version}</source><target>${java.version}</target><encoding>${project.build.sourceEncoding}</encoding><parameters>true</parameters></configuration></plugin></plugins><resources><resource><directory>src/main/resources</directory><filtering>true</filtering></resource><resource><directory>src/main/java</directory><includes><include>**/*.xml</include></includes></resource></resources></build>
</project>

module 目录下的 pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><parent><artifactId>demo</artifactId><groupId>cn.demo</groupId><version>1.0.0</version></parent><modelVersion>4.0.0</modelVersion><artifactId>module</artifactId><description>module模块</description><dependencies><!-- SpringBoot Web容器 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><exclusions><exclusion><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-api</artifactId></exclusion><exclusion><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-tomcat</artifactId></exclusion></exclusions></dependency><!-- websocket --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-websocket</artifactId><exclusions><exclusion><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-tomcat</artifactId></exclusion></exclusions></dependency><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-core</artifactId><exclusions><exclusion><artifactId>tomcat-annotations-api</artifactId><groupId>org.apache.tomcat</groupId></exclusion></exclusions></dependency><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-el</artifactId></dependency><dependency><groupId>org.apache.tomcat.embed</groupId><artifactId>tomcat-embed-websocket</artifactId><exclusions><exclusion><artifactId>tomcat-annotations-api</artifactId><groupId>org.apache.tomcat</groupId></exclusion></exclusions></dependency><dependency><groupId>jakarta.annotation</groupId><artifactId>jakarta.annotation-api</artifactId></dependency></dependencies>
</project>

参考文献

1. spring-boot-starter-parent 2.5.14 maven 依赖项