tomcat-9.0.87-1.el8_10.6
エラータID: AXSA:2025-10776:05
リリース日:
2025/08/22 Friday - 18:54
題名:
tomcat-9.0.87-1.el8_10.6
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Tomcat には、リソースの割り当てが不十分な問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (リソース枯渇) を
可能とする脆弱性が存在します。(CVE-2025-48976)
- Tomcat には、リソースの制限を実施していない問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (リソース枯渇) を
可能とする脆弱性が存在します。(CVE-2025-48988)
- Tomcat には、リソースの不適切なシャットダウンおよびリリースの
問題があるため、リモートの攻撃者により、サービス拒否攻撃 (リソース
枯渇) を可能とする脆弱性が存在します。(CVE-2025-48989)
- Tomcat には、代替パスまたはチャネルを使用した認証回避の問題が
あるため、リモートの攻撃者により、情報の漏洩を可能とする脆弱性が
存在します。(CVE-2025-49125)
- Tomcat には、競合状態に至る問題があるため、リモートの攻撃者に
より、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-52434)
- Tomcat には、整数オーバーフローの問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-52520)
- Tomcat には、リモートの攻撃者により、サービス拒否攻撃 (リソース
枯渇) を可能とする脆弱性が存在します。(CVE-2025-53506)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-48976
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
CVE-2025-52520
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-53506
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-9.0.87-1.el8_10.6.src.rpm
MD5: 6c116b03e5da7019543316933f754795
SHA-256: d7662855b5949bb8b77f507ef67dffbba9e30472179d57bcd7d20fcc966bc328
Size: 15.13 MB
Asianux Server 8 for x86_64
- tomcat-9.0.87-1.el8_10.6.noarch.rpm
MD5: a184d4b5382b93a222fb72769c1a9b01
SHA-256: d12115fc0d639047a2fc273f047188fd3fa27b9a4a8a643fd932e01be5812b73
Size: 94.37 kB - tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm
MD5: b999293ba920a62433538501fe59908e
SHA-256: c10cb8afded8e28bd36ee64a8dc0331436589f7372c28bc56bf738efd06ac981
Size: 75.30 kB - tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm
MD5: 2ad09406e168b562519f9b8dc14a6e6b
SHA-256: 6c3aab3a38c62f3a53e0014458a1fdbe25915029cda719f1cc1ce9866c837a72
Size: 756.96 kB - tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm
MD5: e7182e58528145e9797b0c532f29b94d
SHA-256: 84f00985df9259830ec5c4fd4f12b39fac273a991180e44ba7ebd7f2043d3a4a
Size: 108.33 kB - tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm
MD5: 444c80f788a942bf8d2e526b0d48157c
SHA-256: 66b815bdb45d466cfa0d4e2fa9a5750056509a1a94a5198f283d73475b0f95e2
Size: 74.26 kB - tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm
MD5: 3d76afd13004d58606a0400fb6d8d59e
SHA-256: 131347b8750e66c81f117208aaf1391374ad3ed9c4c75901e0d1ad29ada34917
Size: 6.05 MB - tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm
MD5: 366ff4af4ef05413e525d12cfafcd85d
SHA-256: cb43e2753dc3b98b0f4eb62ea6e7aac2282dd8c11998452bac38a13e394071a0
Size: 288.91 kB - tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm
MD5: 526b695e92fc95e594de214c07214488
SHA-256: b71e71001e46f855c1459b9ea7a20f80711e49b82639d184ab100d8ba24a5b17
Size: 82.73 kB
English