tomcat-9.0.87-1.el8_10.6

エラータID: AXSA:2025-10776:05

リリース日: 
2025/08/22 Friday - 18:54
題名: 
tomcat-9.0.87-1.el8_10.6
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
* tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
* tomcat: Apache Tomcat denial of service (CVE-2025-52520)
* tomcat: Apache Tomcat denial of service (CVE-2025-52434)
* tomcat: Apache Tomcat denial of service (CVE-2025-53506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-48976
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
CVE-2025-52520
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-53506
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

解決策: 

Update packages.

CVE: 
CVE-2025-48976
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
CVE-2025-52520
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-53506
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. tomcat-9.0.87-1.el8_10.6.src.rpm
    MD5: 6c116b03e5da7019543316933f754795
    SHA-256: d7662855b5949bb8b77f507ef67dffbba9e30472179d57bcd7d20fcc966bc328
    Size: 15.13 MB

Asianux Server 8 for x86_64
  1. tomcat-9.0.87-1.el8_10.6.noarch.rpm
    MD5: a184d4b5382b93a222fb72769c1a9b01
    SHA-256: d12115fc0d639047a2fc273f047188fd3fa27b9a4a8a643fd932e01be5812b73
    Size: 94.37 kB
  2. tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm
    MD5: b999293ba920a62433538501fe59908e
    SHA-256: c10cb8afded8e28bd36ee64a8dc0331436589f7372c28bc56bf738efd06ac981
    Size: 75.30 kB
  3. tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm
    MD5: 2ad09406e168b562519f9b8dc14a6e6b
    SHA-256: 6c3aab3a38c62f3a53e0014458a1fdbe25915029cda719f1cc1ce9866c837a72
    Size: 756.96 kB
  4. tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm
    MD5: e7182e58528145e9797b0c532f29b94d
    SHA-256: 84f00985df9259830ec5c4fd4f12b39fac273a991180e44ba7ebd7f2043d3a4a
    Size: 108.33 kB
  5. tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm
    MD5: 444c80f788a942bf8d2e526b0d48157c
    SHA-256: 66b815bdb45d466cfa0d4e2fa9a5750056509a1a94a5198f283d73475b0f95e2
    Size: 74.26 kB
  6. tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm
    MD5: 3d76afd13004d58606a0400fb6d8d59e
    SHA-256: 131347b8750e66c81f117208aaf1391374ad3ed9c4c75901e0d1ad29ada34917
    Size: 6.05 MB
  7. tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm
    MD5: 366ff4af4ef05413e525d12cfafcd85d
    SHA-256: cb43e2753dc3b98b0f4eb62ea6e7aac2282dd8c11998452bac38a13e394071a0
    Size: 288.91 kB
  8. tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm
    MD5: 526b695e92fc95e594de214c07214488
    SHA-256: b71e71001e46f855c1459b9ea7a20f80711e49b82639d184ab100d8ba24a5b17
    Size: 82.73 kB