The Apache Software Foundation released security updates to address multiple vulnerabilities in the Apache Tomcat, including a critical directory traversal flaw that can lead to remote code execution (RCE).

Affected Systems:

The affected systems and versions include, but are not limited to:

• Apache Tomcat 11.0.0-M1 through 11.0.10
• Apache Tomcat 10.1.0-M1 through 10.1.44
• Apache Tomcat 9.0.0-M11 through 9.0.108

Please refer to the official Apache Software Foundation website for a complete list of the security patches that have been released.

Security Risks

The successful exploitation of vulnerabilities in Apache software poses a significant security risk, allowing cybercriminals to escalate privileges, execute arbitrary code, and disrupt or compromise the affected systems.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends that system administrators:

• Follow the Apache Software Foundation Security update to lower the risk of potential exploits, protect systems, and ensure their security.
• Apply the required and latest security updates as soon as possible.

The released software versions for upgrade include, but are not limited to:

• Apache Tomcat 11.0.11
• Apache Tomcat 10.1.45
• Apache Tomcat 9.0.109

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us at 9009.

References

• Apache Tomcat Security Pages (https://tomcat.apache.org/)
• https://tomcat.apache.org/security-11.html
• https://tomcat.apache.org/security-10.html
• https://tomcat.apache.org/security-9.html