Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us in NYC Sept 4th for Qlik's AI Reality Tour! Register Now

Qlik Talend Administration Center 8.0 and CVE-2025-24813

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Rohan_Miller
Support
Support

Qlik Talend Administration Center 8.0 and CVE-2025-24813

Last Update:

Aug 24, 2025 10:23:07 PM

Updated By:

Shicong_Hong

Created date:

Aug 24, 2025 10:24:43 PM

A deployed 8.0.1 Talend Administration Center instance is bundled with Apache Tomcat 9.0.91. This Tomcat version has been flagged as being impacted by CVE-2025-24813.

 

Resolution

At this time, CVE-2025-24813 does not apply to the Talend Administration Center (TAC) webapp. The reason Talend Administration Center is not impacted at this time, is because Tomcat installed with Talend Administration Center has disabled the "Writes enabled for the default servlet" option (disabled by default); A prerequisite for being suspectable to an attack would be to have that setting enabled.

While the Talend Administration Center webapp itself is not impacted by the CVE, if users desire to remove those vulnerable jars removed from security scans (whether due to preference, security audit, or other considerations), users have the following options to pursue:

  • If the current Tomcat instance that hosts Talend Administration Center 8.0 is version 9.0.x, users can upgrade Tomcat to 9.0.100 or higher.
  • If the current Tomcat is using 10.1.34 or a prior version, users can upgrade Tomcat to at least 10.1.40 (or higher) and patch the TAC instance to QTAC-969.

Please note if users plan to upgrade Talend Administration Center from TPS-5552 or earlier (Using Tomcat 9) to QTAC-969 or higher for TAC 8.0, the recommended path would be to  deploy both Apache Tomcat 10.1.40 (or higher) and Java 17 to address this release. (One recommended option is to completely reinstall Tomcat & Talend Administration Center with the new installer and point to the new DB).

If users manually deploy Tomcat 10.1.40 (or a later version) alongside the Talend Administration Center to an instance, and wish to verify that the aforementioned flag(s) are disabled, kindly inspect the "web.xml" file located in (<Root Folder>/apache-tomcat/conf). Proceed to approximately lines 124-135, and examine the following configuration for the "org.apache.catalina.servlets.DefaultServlet":

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
    </servlet-class>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1<load-on-startup>
</servlet>

The example shown above illustrates that the value is set to "false", signifying that it is write-enabled. If users want that functionality disabled, change the "param-value" flag to false, save the changes, and subsequently restart Tomcat (either via the start/stop bat/sh script, or with the service).

 

Internal Investigation ID(s) 

QTAC-918

 

Environment

Talend Administration Center
Talend Administration Center
Labels (2)
93 Views
Was this article helpful? Yes No
Version history
Last update:
a week ago
Updated by:
Employee