Tomcat vulnerability CVE-2024-56337
There is a vulnerability CVE-2024-56337 for Tomcat version from 9.0.0.M1 to 9.0.97 . This is fixed in Apache Tomcat 9.0.98 version and above. When will TeamsCity have the updated version bundled ?
Please sign in to leave a comment.
TeamCity 2024.12.2 is bundled with Tomcat 9.0.98.
Best regards,
Anton
Just read through this https://www.upwind.io/feed/apache-tomcat-vulnerability-cve-2024-56337-exposes-servers-to-rce and got to know it will be fixed in Tomcat 9.0.99 . When will TeamsCity have the Tomcat 9.0.99 or later versions bundled ?
Moreover i see release notes do not capture the Tomcat version . It would be good if its mentioned .
>>i see release notes do not capture the Tomcat version
Thanks for pointing this out, it somehow slipped. The updates of bundled tools should be mentioned in the release notes, and I notified the team about it to make sure it won't happen in the future.
>>When will TeamsCity have the Tomcat 9.0.99 or later versions bundled ?
It is currently planned for 2024.12.3.
Best regards,
Anton
Anton Vakhtel Is there by any chance a timeline for the release?
We had to postpone the bundled Tomcat update to 2024.12.4, but I want to assure you that we're doing all we can to provide the fix as soon as possible.
Anyway, if you are concerned about this vulnerability, you may upgrade the Tomcat version TeamCity uses manually. Please refer to https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat
I recommend you first try running TeamCity on the later version of Tomcat on a test server before making the change on your production instance.
Best regards,
Anton
CVE-2024-24813
Tomcat 9.0.98.0 affected
No update available?
The updated bundled Tomcat will be included with the next release, which is planned for next week. However, the ETA could be changed if additional time is needed to prepare it.
As mentioned above, you may upgrade the Tomcat version TeamCity uses manually. Please refer to https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat
Best regards,
Anton
Anton Vakhtel - Hi , When do you plan to upgrade Tomcat to next version (9.0.99+) to brand new vulnerability . Thank you!
https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
The bundled Tomcat was updated to version 9.0.102 in 2025.03 which was released recently.
Best regards,
Anton
Hi Anton Vakhtel , is teamcity 2024.12.3 has Tomcat 9.0.99 or later? we aren't able to update teamcity to 2025.03 due to lisence issue and CVE-2025-24813 needs tomcat to be Tomcat 9.0.99 or later. just want to confirm.
No, TeamCity 2025.03 is bundled with Tomcat 9.0.102. 2024.12.3 is bundled with 9.0.98.
As mentioned above, you may upgrade the Tomcat version TeamCity uses manually. Please refer to https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat
Best regards,
Anton
Reusing this thread as “minor documentation”
CVE-2025-31650, CVE-2025-31651 in Tomcat up to 9.0.102 is vuln
This refers to tomcat-juli.jar, replaced file in TeamCity\bin with 9.0.104 available at https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-juli
Would be nice to get verification that next teamcity version will have this updated, and when that is expected to be released.
Thanks!
I notified the team about it. I'll let you know when ETA is available.
Best regards,
Anton
Best regards,
Anton
We're already on TeamCity Professional 2025.03.2 Build 186181 but Microsoft Defender is showing a critical vulnerability for 9.0.102, CVE-2025-31651.
Can you double check the Tomcat version on the latest version?
TeamCity 2025.03.2 comes bundled with Tomcat 9.0.104. You can always check which Tomcat version your TeamCity server is using on the Administration > Diagnostics page.
Which exact file/path is the Defender showing the vulnerability for?
Best regards,
Anton
Luis Guerra Have you verified which file it complains about? If you have upgraded, you will need to clean up the TeamCity backup directory which still contains the old vuln Tomcat files, which Defender finds and warns about.
Thank you for your reply Anton and Christian.
Tomcat version is 9.0.104 indeed.
I've deleted older backups as suggested and will update as soon as the scan occurs.
It is able to detect 9.0.104 but I think there are new vulnerabilities.
CVE-2025-46701
That's a new one, thanks! I created a task to update the bundled Tomcat.
It's possible to update Tomcat manually if needed: https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat
Best regards,
Anton