OESA-2025-1897

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1897
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1897.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1897
Upstream
Published
2025-07-25T13:16:54Z
Modified
2025-08-12T05:51:34.378535Z
Summary
tomcat security update
Details

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

Security Fix(es):

A vulnerability, which was classified as problematic, has been found in Apache Tomcat up to 9.0.105/10.1.41/11.0.7 (Application Server Software).Using CWE to declare the problem leads to CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Impacted is availability.Upgrading to version 9.0.106, 10.1.42 or 11.0.8 eliminates this vulnerability.(CVE-2025-48988)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 9.0.107, which fixes the issue.(CVE-2025-52434)

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.(CVE-2025-52520)

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.(CVE-2025-53506)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP2 / tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.100-6.oe2403sp2

Ecosystem specific 

{
    "src": [
        "tomcat-9.0.100-6.oe2403sp2.src.rpm"
    ],
    "noarch": [
        "tomcat-9.0.100-6.oe2403sp2.noarch.rpm",
        "tomcat-help-9.0.100-6.oe2403sp2.noarch.rpm",
        "tomcat-jsvc-9.0.100-6.oe2403sp2.noarch.rpm"
    ]
}