vulnerability

Oracle Linux: CVE-2025-31650: ELSA-2025-11332: tomcat9 security update (IMPORTANT) (Multiple Advisories)

Try Surface Command
Back to search
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Apr 28, 2025
Added
Jul 18, 2025
Modified
Jul 18, 2025

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service (DoS), causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak.

Solutions

oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat9oracle-linux-upgrade-tomcat9-admin-webappsoracle-linux-upgrade-tomcat9-docs-webapporacle-linux-upgrade-tomcat9-el-3-0-apioracle-linux-upgrade-tomcat9-jsp-2-3-apioracle-linux-upgrade-tomcat9-liboracle-linux-upgrade-tomcat9-servlet-4-0-apioracle-linux-upgrade-tomcat9-webappsoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-3-0-apioracle-linux-upgrade-tomcat-jsp-2-3-apioracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-4-0-apioracle-linux-upgrade-tomcat-webapps

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today