tomcat-9.0.87-3.el9_6.3
エラータID: AXSA:2025-10779:06
リリース日:
2025/08/25 Monday - 10:47
題名:
tomcat-9.0.87-3.el9_6.3
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Tomcat には、リソースの割り当てが不十分な問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (リソース枯渇) を
可能とする脆弱性が存在します。(CVE-2025-48976)
- Tomcat には、リソースの制限を実施していない問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (リソース枯渇) を
可能とする脆弱性が存在します。(CVE-2025-48988)
- Tomcat には、リソースの不適切なシャットダウンおよびリリースの
問題があるため、リモートの攻撃者により、サービス拒否攻撃 (リソース
枯渇) を可能とする脆弱性が存在します。(CVE-2025-48989)
- Tomcat には、代替パスまたはチャネルを使用した認証回避の問題が
あるため、リモートの攻撃者により、情報の漏洩を可能とする脆弱性が
存在します。(CVE-2025-49125)
- Tomcat には、競合状態に至る問題があるため、リモートの攻撃者
により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-52434)
- Tomcat には、整数オーバーフローの問題があるため、リモートの
攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2025-52520)
- Tomcat には、リモートの攻撃者により、サービス拒否攻撃 (リソース
枯渇) を可能とする脆弱性が存在します。(CVE-2025-53506)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2025-48976
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-48989
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
CVE-2025-52520
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-53506
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-9.0.87-3.el9_6.3.src.rpm
MD5: 67c94dc4531728056f98ac9b01efc30c
SHA-256: 69a83758d68ef2addd4529f9dcc5302324caded0bfd4aa932217eb1319e08566
Size: 15.13 MB
Asianux Server 9 for x86_64
- tomcat-9.0.87-3.el9_6.3.noarch.rpm
MD5: 633f5c6ebba7a1d60392e753ed9ac7d3
SHA-256: 0ffe1ff3a14c641687602e7b31e7ffe7711963aebe759108daed1b2bae2470ce
Size: 98.70 kB - tomcat-admin-webapps-9.0.87-3.el9_6.3.noarch.rpm
MD5: 88326dc6d1c204f57bed6f9adb5d0ec5
SHA-256: 688483dd9f20b9538bfbf0d26964956eb2ff8140a167f9bdce9d941fb8935d17
Size: 79.48 kB - tomcat-docs-webapp-9.0.87-3.el9_6.3.noarch.rpm
MD5: 70f8e16649c9a31793af2fc657450233
SHA-256: 86e506a5bca76bc6e0af1ca805f8f8d099c5bc0d57be9d46d5d626b681d7ae7e
Size: 725.86 kB - tomcat-el-3.0-api-9.0.87-3.el9_6.3.noarch.rpm
MD5: 595959162534aed83b9e116a66574ae4
SHA-256: f6714318c155fbda3a29c5e5fa4dea510d39b310e231190426865181b7fc466d
Size: 105.24 kB - tomcat-jsp-2.3-api-9.0.87-3.el9_6.3.noarch.rpm
MD5: 64fbc0150b28e50c19cc4178e5bb2880
SHA-256: 82e42b013a1e3352263fb80197d971e00c15bb7599c6925edbc5ed99abb8891a
Size: 72.17 kB - tomcat-lib-9.0.87-3.el9_6.3.noarch.rpm
MD5: b8152d838ee44e87f89bd570268628f6
SHA-256: 11392031f0d6199360f5a316f1445897e1a9e18cc2833e88ac5f3115b8cbad0c
Size: 5.98 MB - tomcat-servlet-4.0-api-9.0.87-3.el9_6.3.noarch.rpm
MD5: 3f40c1120f0c488613fae262b0c2ac69
SHA-256: 041173f5f7f1d6aae44ed03b780c4e07d7be6ff2b32c0933f2f16285a274a4b2
Size: 284.17 kB - tomcat-webapps-9.0.87-3.el9_6.3.noarch.rpm
MD5: f704bb3c151deb5e44a69fdf892376bc
SHA-256: 7eea8f810b223967f3d38942018def7ca74fce85b396b780bd2546735d590117
Size: 80.36 kB
English