diff --git a/tomcat-9.0-CVE-2021-24122.patch b/tomcat-9.0-CVE-2021-24122.patch
new file mode 100644
index 0000000..31ff7f3
--- /dev/null
+++ b/tomcat-9.0-CVE-2021-24122.patch
@@ -0,0 +1,77 @@
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
+ import java.net.URL;
+ 
+ import org.apache.catalina.LifecycleException;
++import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
+ import org.apache.tomcat.util.compat.JrePlatform;
+ import org.apache.tomcat.util.http.RequestUtil;
+ 
+ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ 
++    private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
++
+     protected static final String[] EMPTY_STRING_ARRAY = new String[0];
+ 
+     private File fileBase;
+@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
+             canPath = normalize(canPath);
+         }
+         if (!canPath.equals(absPath)) {
++            if (!canPath.equalsIgnoreCase(absPath)) {
++                // Typically means symlinks are in use but being ignored. Given
++                // the symlink was likely created for a reason, log a warning
++                // that it was ignored.
++                String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
++                        getRoot().getContext().getName(), absPath, canPath);
++                // Log issues with configuration files at a higher level
++                if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
++                    log.error(msg);
++                } else {
++                    log.warn(msg);
++                }
++            }
+             return null;
+         }
+ 
+@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
+         // expression irrespective of input length.
+         for (int i = 0; i < len; i++) {
+             char c = name.charAt(i);
+-            if (c == '\"' || c == '<' || c == '>') {
++            if (c == '\"' || c == '<' || c == '>' || c == ':') {
+                 // These characters are disallowed in Windows file names and
+                 // there are known problems for file names with these characters
+                 // when using File#getCanonicalPath().
+Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
++++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
+@@ -15,6 +15,8 @@
+ 
+ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+ 
++abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
++
+ abstractResource.getContentFail=Unable to return [{0}] as a byte array
+ abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
+ 
+Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
+@@ -81,6 +81,10 @@
+         <bug>64493</bug>: Revert possible change of returned protocol
+         attribute value on the <code>Connector</code>. (remm)
+       </fix>
++      <add>
++        <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
++        because it uses symlinks. (markt)
++      </add>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">
diff --git a/tomcat.changes b/tomcat.changes
index 9f88ae6..719fa9c 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>
+
+- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) 
+- Added patch:
+  * tomcat-9.0-CVE-2021-24122 
+
 -------------------------------------------------------------------
 Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood <amehmood@suse.com>
 
diff --git a/tomcat.spec b/tomcat.spec
index c8d7809..10f9d04 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -85,6 +85,7 @@ Patch5:         tomcat-9.0.31-java8compat.patch
 Patch6:         tomcat-9.0.31-secretRequired-default.patch
 Patch7:         tomcat-9.0-CVE-2020-13943.patch
 Patch8:         tomcat-9.0-CVE-2020-17527.patch
+Patch9:         tomcat-9.0-CVE-2021-24122.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -261,6 +262,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl