{"schema_version":"1.7.2","id":"OESA-2025-1484","modified":"2025-05-09T12:42:45Z","published":"2025-05-09T12:42:45Z","upstream":["CVE-2025-31650","CVE-2025-31651"],"summary":"tomcat security update","details":"Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.\r\n\r\nSecurity Fix(es):\n\nImproper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\n\nThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.\n\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.(CVE-2025-31650)\n\nImproper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.(CVE-2025-31651)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.100-2.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.100-2.oe2203sp4.noarch.rpm","tomcat-help-9.0.100-2.oe2203sp4.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2203sp4.noarch.rpm"],"src":["tomcat-9.0.100-2.oe2203sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.100-2.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.100-2.oe2403.noarch.rpm","tomcat-help-9.0.100-2.oe2403.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2403.noarch.rpm","tomcat-9.0.100-2.oe2403sp1.noarch.rpm","tomcat-help-9.0.100-2.oe2403sp1.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2403sp1.noarch.rpm"],"src":["tomcat-9.0.100-2.oe2403.src.rpm","tomcat-9.0.100-2.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.100-2.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.100-2.oe2403sp1.noarch.rpm","tomcat-help-9.0.100-2.oe2403sp1.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2403sp1.noarch.rpm"],"src":["tomcat-9.0.100-2.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.100-2.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.100-2.oe2003sp4.noarch.rpm","tomcat-help-9.0.100-2.oe2003sp4.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2003sp4.noarch.rpm"],"src":["tomcat-9.0.100-2.oe2003sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.100-2.oe2203sp3"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.100-2.oe2203sp3.noarch.rpm","tomcat-help-9.0.100-2.oe2203sp3.noarch.rpm","tomcat-jsvc-9.0.100-2.oe2203sp3.noarch.rpm"],"src":["tomcat-9.0.100-2.oe2203sp3.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1484"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31650"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31651"}],"database_specific":{"severity":"Critical"}}