Spring Boot Tomcat 漏洞修复

Spring Boot Tomcat 漏洞修复

Apache Tomcat 远程代码执行漏洞(CVE-2025-24813)

Tomcat 是一个开源的、轻量级的 Web 应用服务器 和 Servlet 容器。它由 Apache 软件基金会下的 Jakarta 项目开发，是目前最流行的 Java Web 服务器之一。

该漏洞利用条件较为复杂，需同时满足以下四个条件：

1. 应用程序启用了 DefaultServlet 写入功能，该功能默认关闭。
2. 应用支持了 partial PUT 请求，能够将恶意的序列化数据写入到会话文件中，该功能默认开启。
3. 应用使用了 Tomcat 的文件会话持久化并且使用了默认的会话存储位置，需要额外配置。
4. 应用中包含一个存在反序列化漏洞的库，比如存在于类路径下的 commons-collections，此条件取决于业务实现是否依赖存在反序列化利用链的库。

漏洞威胁等级：高危

受影响的版本

11.0.0-M1 <= Apache Tomcat <= 11.0.2
10.1.0-M1 <= Apache Tomcat <= 10.1.34
9.0.0.M1 <= Apache Tomcat <= 9.0.98

安全版本

Apache Tomcat >= 11.0.3
Apache Tomcat >= 10.1.35
Apache Tomcat >= 9.0.99

关键配置

项目结构

demo_project
├─module
│  ├─src
│  │  └─main
|  └─pom.xml
└─pom.xml

项目根路径下的 pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0modelVersion>

  <groupId>cn.demogroupId>
  <artifactId>demoartifactId>
  <version>1.0.0version>

  <name>demoname>
  <description>demodescription>

  <properties>
    <demo.version>1.0.0demo.version>
    <project.build.sourceEncoding>UTF-8project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8project.reporting.outputEncoding>
    <java.version>1.8java.version>
    
    <tomcat.version>9.0.99tomcat.version>
    <jakarta.annotation-api.version>1.3.5jakarta.annotation-api.version>
  properties>

  
  <dependencyManagement>
    <dependencies>
      
      <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-dependenciesartifactId>
        <version>2.5.14version>
        <type>pomtype>
        <scope>importscope>
      dependency>

      
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-coreartifactId>
        <version>${tomcat.version}version>
      dependency>
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-elartifactId>
        <version>${tomcat.version}version>
      dependency>
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-websocketartifactId>
        <version>${tomcat.version}version>
        <exclusions>
          <exclusion>
            <artifactId>tomcat-annotations-apiartifactId>
            <groupId>org.apache.tomcatgroupId>
          exclusion>
        exclusions>
      dependency>
        <dependency>
          <groupId>jakarta.annotationgroupId>
          <artifactId>jakarta.annotation-apiartifactId>
          <version>${jakarta.annotation-api.version}version>
        dependency>
    dependencies>
  dependencyManagement>

  <modules>
    <module>modulemodule>
  modules>

  <packaging>pompackaging>

  <dependencies>
  dependencies>

  <build>
      <plugins>
        <plugin>
          <groupId>org.apache.maven.pluginsgroupId>
          <artifactId>maven-compiler-pluginartifactId>
          <version>3.8.1version>
          <configuration>
            <source>${java.version}source>
            <target>${java.version}target>
            <encoding>${project.build.sourceEncoding}encoding>
            <parameters>trueparameters>
          configuration>
        plugin>
      plugins>
      <resources>
        <resource>
          <directory>src/main/resourcesdirectory>
          <filtering>truefiltering>
        resource>
        <resource>
          <directory>src/main/javadirectory>
          <includes>
            <include>**/*.xmlinclude>
          includes>
        resource>
      resources>
  build>
project>

module 目录下的 pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <parent>
        <artifactId>demoartifactId>
        <groupId>cn.demogroupId>
        <version>1.0.0version>
    parent>
    <modelVersion>4.0.0modelVersion>

    <artifactId>moduleartifactId>

    <description>
        module模块
    description>

    <dependencies>
		  
        <dependency>
          <groupId>org.springframework.bootgroupId>
          <artifactId>spring-boot-starter-webartifactId>
          <exclusions>
            <exclusion>
              <groupId>org.apache.logging.log4jgroupId>
            <artifactId>log4j-apiartifactId>
            exclusion>
              <exclusion>
                <groupId>org.springframework.bootgroupId>
                <artifactId>spring-boot-starter-tomcatartifactId>
              exclusion>
          exclusions>
      dependency>

      
      <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-websocketartifactId>
        <exclusions>
          <exclusion>
            <groupId>org.springframework.bootgroupId>
            <artifactId>spring-boot-starter-tomcatartifactId>
          exclusion>
        exclusions>
      dependency>
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-coreartifactId>
        <exclusions>
          <exclusion>
            <artifactId>tomcat-annotations-apiartifactId>
            <groupId>org.apache.tomcatgroupId>
          exclusion>
        exclusions>
      dependency>
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-elartifactId>
      dependency>
      <dependency>
        <groupId>org.apache.tomcat.embedgroupId>
        <artifactId>tomcat-embed-websocketartifactId>
        <exclusions>
          <exclusion>
            <artifactId>tomcat-annotations-apiartifactId>
            <groupId>org.apache.tomcatgroupId>
          exclusion>
        exclusions>
      dependency>
      <dependency>
        <groupId>jakarta.annotationgroupId>
        <artifactId>jakarta.annotation-apiartifactId>
      dependency>
    dependencies>
project>

参考文献

1. spring-boot-starter-parent 2.5.14 maven 依赖项