Hi all,
NVD - CVE-2025-24813 was published last week, describing an unauthenticated remote code vulnerability in Tomcat, exaccerbated by running as root.
I see it’s mitigated in Tomcat v9.0.99, and it looks like the Xwiki Docker container is currently running under v9.0.98.0; are there plans to bump that Tomcat version? Separately, are there plans to change the image to run under a non-root user?
The XWiki docker image is always built with the latest version of Tomcat at the time (to be a bit more precise 9.x for XWiki 16.10.x, and 10.x for XWiki 17+), so I guess it’s going to be fixed with the next release of XWiki.
It’s something that was indeed asked, and I know some people built their own docker image for that reason, but it has a hard time getting a good spot in the very full TODO list. We would of course welcome contributions to the standard XWiki docker image(s) on this subject.
Are you sure about that? I’ve just pulled the xwiki:lts-postgres Docker container, and it runs Apache Tomcat/9.0.102. XWiki Docker images are part of the official Docker library and based on the official Docker library Tomcat images, my understanding is that they are automatically rebuilt when the parent image has been updated.
Regarding root, as far as I understand, one challenge is that the official Tomcat Docker library image also runs as root which makes it harder for us to change this.
See Loading... with some links to how you could do that.
Generally speaking we would like to fix this issue but ATM there’s nobody active on the topic and it would be interesting to know why the Tomcat Docker’s team keeps using the root user by default and what’s their recommendation.
Thx