Summary

Apache Tomcat vulnerability CVE-2025-24813 may allow:

• Information disclosure

• Malicious content injection

• Remote Code Execution (RCE)

Affected DataOps Versions: older than 2025.2.0.0

Our application ships with a bundled Tomcat under:

• Linux: /opt/datagaps/DataOpsServer/

• Windows: C:\app\datagaps\DataOpsSuite\DataOpsServer\

• Containers: Contact support

✅ Risk Assessment for DataOps

DataOpsServer is not affected by the remote code execution path of this CVE because:

• File-based session persistence is disabled (default).

• File uploads and logs are handled by the application code, not by Tomcat’s DefaultServlet.

However, to prevent any possibility of exploitation via PUT or Content-Range We can apply the following mitigations.

Mitigation Steps

1. Harden DefaultServlet Configuration

 File:

• Linux: /opt/datagaps/DataOpsServer/conf/web.xml

• Windows: C:\app\datagaps\DataOpsSuite\DataOpsServer\conf\web.xml

 Update the <servlet> block for default servlet as follows:

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>

    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>

    <init-param>
        <param-name>readonly</param-name>
        <param-value>true</param-value>
    </init-param>

    <load-on-startup>1</load-on-startup>
</servlet>

2. Disable Partial PUT Support

 File:

• Linux: /opt/datagaps/DataOpsServer/conf/context.xml

• Windows: C:\app\datagaps\DataOpsSuite\DataOpsServer\conf\context.xml

 Modify the <Context> Element to include:

<Context allowPartialPut="false">
  
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
  
</Context>

3. Restart DataOpsServer