Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN438
_____________________________________________________________________

DATE                : 11/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to
                             11.0.9, 10.1.43, 9.0.107.

=====================================================================
https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
_____________________________________________________________________

CVE-2025-53506 Apache Tomcat - DoS in HTTP/2

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106

Description:
An uncontrolled resource consumption vulnerability if an HTTP/2
client did not acknowledge the initial settings frame that reduces
the maximum permitted concurrent streams could result in a DoS.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.9 or later
- Upgrade to Apache Tomcat 10.1.32 or later
- Upgrade to Apache Tomcat 9.0.107 or later

Credit:
The vulnerability was identified by Kanatoko

History:
2025-07-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html


_____________________________________________________________________

jeudi 10 juillet 2025 20:56:28 UTC+2

CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106

Description:
For some unlikely configurations of multipart upload, an Integer 
Overflow vulnerability could lead to a DoS via bypassing of size
limits.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.9 or later
- Upgrade to Apache Tomcat 10.1.32 or later
- Upgrade to Apache Tomcat 9.0.107 or later

Credit:
The vulnerability was identified by Saravana Kumar

History:
2025-07-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

_____________________________________________________________________

jeudi 10 juillet 2025 21:18:14 UTC+2
Correcting typo in fixed versions

CVE-2025-52520 Apache Tomcat - DoS in multipart upload

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106

Description:
For some unlikely configurations of multipart upload, an Integer 
Overflow vulnerability could lead to a DoS via bypassing of size limits.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.9 or later
- Upgrade to Apache Tomcat 10.1.43 or later
- Upgrade to Apache Tomcat 9.0.107 or later

Credit:
The vulnerability was identified by Saravana Kumar

History:
2025-07-10 Original advisory
2025-07-10 Correction to fixed versions

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

_____________________________________________________________________

CVE-2025-49125 Apache Tomcat - APR/Native Connector crash leading to
DoS

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.105

Description:
A race condition on connection close could trigger a JVM crash when 
using the APR/Native connector leading to a DoS. This was particularly 
noticeable with client initiated closes of HTTP/2 connections.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.107 or later

Credit:
Nacl, 12SqweR, WHOAMI, yyzmoo

History:
2025-07-10 Original advisory

References:
[1] https://tomcat.apache.org/security-9.html


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================