Description

On March 10, 2025, a critical vulnerability in versions of Apache Tomcat was disclosed:

CVE-2025-24813:\u00A0 Potential RCE and/or information disclosure and/or information corruption with partial PUT

There are numerous sources for information on this vulnerability, but the Apache Tomcat security page provides information on impacted versions.\u00A0

\u00A0

Impacted Avaya Products

Avaya is investigating its product line to determine which products may be affected by this vulnerability.\u00A0 Avaya will provide status updates through Service Requests that are created by our customers.\u00A0 Product Support Notices / Product Correction Notices (PSNs/PCNs) may also be created.\u00A0

\u00A0

End of Manufacturer\u2019s Support (EoMS)

Avaya is prioritizing our GA products in a phased approach based on risk level and expected impact.\u00A0 Products/versions designated EoMS are not being assessed at this time and customers are encouraged to upgrade to a supported product/version.

\u00A0

Recommended Actions for Products

Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security, or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

\u00A0

Next Steps

For additional information, please create a Service Request (only one is required for all products).\u00A0 Product Support Notice (PSN) may be published, but opening an Service Request is recommended.

To create a Service Request:

Log on to https://support.avaya.com by using your Avaya credentials,
Under Service/Parts Request, click Create Service Request, and
On the Create a Service Request page, provide the required details including the application name(s) and version(s).

Avaya is aware that some customers are not able to immediately migrate EoMS product to a supported release. In those cases, Avaya recommends the customer protect the EoMS product behind an application-aware firewall appliance and/or a cloud service.

Customers are encouraged to subscribe to e-notifications to be notified of the latest PSN updates for their affected products.