Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN367 _____________________________________________________________________ DATE : 18/06/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.8, 10.1.42, 9.0.106. ===================================================================== https://lists.apache.org/thread/41hglyvqmbvw8rdxokjjvlho0f7byf5m https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18 https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk _____________________________________________________________________ CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: The vulnerability was identified by the TERASOLUNA Framework Security Team of NTT DATA Group Corporation History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2025-48988 Apache Tomcat - DoS in multipart upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: The vulnerability was identified by the TERASOLUNA Framework Security Team of NTT DATA Group Corporation History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0 to 10.1.41 Apache Tomcat 9.0.23 to 9.0.105 Description: During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: T. Doğa Gelişli https://linkedin.com/in/tdogagelisli/ History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: Greg K (https://github.com/gregk4sec) History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================