An update for tomcat is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1484 Final 1.0 1.0 2025-05-09 Initial 2025-05-09 2025-05-09 openEuler SA Tool V1.0 2025-05-09 tomcat security update An update for tomcat is now available for openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Security Fix(es): Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.(CVE-2025-31650) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.(CVE-2025-31651) An update for tomcat is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical tomcat https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1484 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-31650 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-31651 https://nvd.nist.gov/vuln/detail/CVE-2025-31650 https://nvd.nist.gov/vuln/detail/CVE-2025-31651 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 tomcat-9.0.100-2.oe2203sp4.noarch.rpm tomcat-help-9.0.100-2.oe2203sp4.noarch.rpm tomcat-jsvc-9.0.100-2.oe2203sp4.noarch.rpm tomcat-9.0.100-2.oe2403.noarch.rpm tomcat-help-9.0.100-2.oe2403.noarch.rpm tomcat-jsvc-9.0.100-2.oe2403.noarch.rpm tomcat-9.0.100-2.oe2403sp1.noarch.rpm tomcat-help-9.0.100-2.oe2403sp1.noarch.rpm tomcat-jsvc-9.0.100-2.oe2403sp1.noarch.rpm tomcat-9.0.100-2.oe2003sp4.noarch.rpm tomcat-help-9.0.100-2.oe2003sp4.noarch.rpm tomcat-jsvc-9.0.100-2.oe2003sp4.noarch.rpm tomcat-9.0.100-2.oe2203sp3.noarch.rpm tomcat-help-9.0.100-2.oe2203sp3.noarch.rpm tomcat-jsvc-9.0.100-2.oe2203sp3.noarch.rpm tomcat-9.0.100-2.oe2203sp4.src.rpm tomcat-9.0.100-2.oe2403.src.rpm tomcat-9.0.100-2.oe2403sp1.src.rpm tomcat-9.0.100-2.oe2003sp4.src.rpm tomcat-9.0.100-2.oe2203sp3.src.rpm Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue. 2025-05-09 CVE-2025-31650 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H tomcat security update 2025-05-09 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1484 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. 2025-05-09 CVE-2025-31651 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H tomcat security update 2025-05-09 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1484