Created by James Hurrell, on May 6, 2025

Issue description

As part of the process of fixing (in v. 2.12.8) a CVE found in CAST Security Dashboard (CVE-2025-24813), you should be aware of two impacts that require user intervention:

Using JAR installers to install CAST Security Dashboard

If you install CAST Security Dashboard using the Java JAR installers and you intend to run an in-place update to the 2.12.8 release you must ensure that you modify the following files post installation before restarting the dashboard:

  • dashboard-service-install.bat

  • startup.bat

These files are located at the root of the installation folder.

dashboard-service-install.bat

This file governs the creation of the Microsoft Windows service. If you have chosen to run your dashboard in this way, then you must action the following:

  • Append the following to line 25 of the file:

--add-opens java.base/java.io=ALL-UNNAMED

  • This will alter the line as follows:

set JAVA_MODULES=++JvmOptions9=--add-opens=java.base/java.lang=ALL-UNNAMED;--add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED;--add-opens java.base/java.io=ALL-UNNAMED

  • Save the file.

  • Re-run it to ensure that the Microsoft Windows service is recreated using the appended Java syntax.

  • Ensure that the Microsoft Windows service is running - if not, restart it.

Note that this requirement does not apply to new "from scratch" installations: the required syntax is already present.

startup.bat

This file governs the manual startup of the CAST Security Dashboard (i.e. not via a Microsoft Windows service). If you have chosen to run your dashboard in this way, then you must action the following:

  • Append the following to line 4 of the file:

--add-opens java.base/java.io=ALL-UNNAMED

  • This will alter the line as follows:

set JAVA_MODULES=--add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.naming/com.sun.jndi.ldap=ALL-UNNAMED;--add-opens java.base/java.io=ALL-UNNAMED

  • Save the file.

  • Re-run it to ensure that the CAST Security Dashboard is started in the correct manner.

Note that this requirement does not apply to new "from scratch" installations: the required syntax is already present.

Using Apache Tomcat to host CAST Security Dashboard

This issue applies only to those that use Apache Tomcat to host standalone CAST Security Dashboard: Apache Tomcat 9.0.99 is now the minimum release required to host CAST Security Dashboard.