ARC25-007

Desktop Laptop Option (DLO) Apache HTTP Server and Tomcat Vulnerabilities

Revision History

  • 1.0: May 28, 2025: Initial version

Description

Vulnerabilities were discovered in Arctera/Veritas Desktop Laptop Option (DLO) version 9.9 and prior due to the inclusion of versions of Apache HTTP Server and Apache Tomcat which have been found to have vulnerabilities.   These vulnerabilities have been recently added to the CISA published Known Exploitable Vulnerability (KEV) catalog, and customers should upgrade these components using the Remediation guidance below as soon as possible.

Issue Description Severity CVE ID

1. Apache HTTP Server

Improper Escaping of Output Vulnerability

Critical

CVE-2024-38475

2. Apache Tomcat

PUT Vulnerability

Critical

CVE-2025-24813

Issue 1: Apache HTTP Server

CVE ID: CVE-2024-38475

Severity: Critical

CVSS v3.1 Base Score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CWE-116: Improper Encoding or Escaping of Output

Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

Issue 2: Apache Tomcat

CVE ID: CVE-2025-24813

Severity: Critical

CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CWE-44: Path Equivalence: 'file.name' (Internal Dot)

CWE-502: Deserialization of Untrusted Data

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and other impacts have been found in Apache Tomcat 10.1.34 and earlier.  The attack requires write enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) and other knowledge.

Affected Versions

Arctera/Veritas Desktop Laptop Option versions: 9.7, 9.8, 9.8.1, 9.8.2, 9.8.3 and 9.9. Earlier unsupported versions may be affected as well.

Remediation

Customers under a current maintenance contract should select the “Run Veritas Update” option in the Tools menu of the DLO Administration Console to update both Apache HTTP Server and Apache Tomcat.  For further information see:

https://www.veritas.com/support/en_US/doc/DLO_97_VxUpdate

Following this guidance will update Apache HTTP Server and Tomcat to the latest available versions.

Questions

For questions or problems regarding these vulnerabilities please contact Arctera Technical Support (https://www.arctera.io/support)

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  Arctera US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Arctera US LLC
6200 Stoneridge Mall Road, Suite 150
Pleasanton, CA 94588