ARC25-007
Desktop Laptop Option (DLO) Apache HTTP Server and Tomcat Vulnerabilities
Revision History
- 1.0: May 28, 2025: Initial version
Description
Vulnerabilities were discovered in Arctera/Veritas Desktop Laptop Option (DLO) version 9.9 and prior due to the inclusion of versions of Apache HTTP Server and Apache Tomcat which have been found to have vulnerabilities. These vulnerabilities have been recently added to the CISA published Known Exploitable Vulnerability (KEV) catalog, and customers should upgrade these components using the Remediation guidance below as soon as possible.
Issue | Description | Severity | CVE ID |
---|---|---|---|
1. Apache HTTP Server |
Improper Escaping of Output Vulnerability |
Critical |
|
2. Apache Tomcat |
PUT Vulnerability |
Critical |
Issue 1: Apache HTTP Server
CVE ID: CVE-2024-38475
Severity: Critical
CVSS v3.1 Base Score 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CWE-116: Improper Encoding or Escaping of Output
Description
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Issue 2: Apache Tomcat
CVE ID: CVE-2025-24813
Severity: Critical
CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE-44: Path Equivalence: 'file.name' (Internal Dot)
CWE-502: Deserialization of Untrusted Data
Description
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and other impacts have been found in Apache Tomcat 10.1.34 and earlier. The attack requires write enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) and other knowledge.
Affected Versions
Arctera/Veritas Desktop Laptop Option versions: 9.7, 9.8, 9.8.1, 9.8.2, 9.8.3 and 9.9. Earlier unsupported versions may be affected as well.
Remediation
Customers under a current maintenance contract should select the “Run Veritas Update” option in the Tools menu of the DLO Administration Console to update both Apache HTTP Server and Apache Tomcat. For further information see:
https://www.veritas.com/support/en_US/doc/DLO_97_VxUpdate
Following this guidance will update Apache HTTP Server and Tomcat to the latest available versions.
Questions
For questions or problems regarding these vulnerabilities please contact Arctera Technical Support (https://www.arctera.io/support)
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Arctera US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Arctera US LLC
6200 Stoneridge Mall Road, Suite 150
Pleasanton, CA 94588