csaf_suse - suse-su-2025:02992-1

suse-su-2025:02992-1

Vulnerability from csaf_suse

Published

2025-08-27 11:57

Modified

2025-08-27 11:57

Summary

Security update for tomcat11

Notes

Title of the patch

Security update for tomcat11

Description of the patch

This update for tomcat11 fixes the following issues: Updated to Tomcat 11.0.10 - CVE-2025-48989: Fixed 'MadeYouReset' DoS in HTTP/2 due to client triggered stream reset (bsc#1243895) Other fixes: * Catalina + Fix: Fix bloom filter population for archive indexing when using a packed WAR containing one or more JAR files. (markt) * Coyote + Fix: 69748: Add missing call to set keep-alive timeout when using HTTP/1.1 following an async request, which was present for AJP. (remm/markt) + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note that the maximum permitted value of an HPACK decoded integer is Integer.MAX_VALUE. (markt) + Fix: Update the HTTP/2 overhead documentation - particularly the code comments - to reflect the deprecation of the PRIORITY frame and clarify that a stream reset always triggers an overhead increase. (markt) * Cluster + Update: Add enableStatistics configuration attribute for the DeltaManager, defaulting to true. (remm) * WebSocket + Fix: Align the WebSocket extension handling for WebSocket client connections with WebSocket server connections. The WebSocket client now only includes an extension requested by an endpoint in the opening handshake if the WebSocket client supports that extension. (markt) * Web applications + Fix: Manager and Host Manager. Provide the Manager and Host Manager web applications with a dedicated favicon file rather than using the one from the ROOT web application which might not be present or may represent something entirely different. Pull requests #876 and #878 by Simon Arame. * Other + Update: Update Checkstyle to 10.26.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt)

Patchnames

SUSE-2025-2992,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2992,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2992,openSUSE-SLE-15.6-2025-2992

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for tomcat11",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for tomcat11 fixes the following issues:\n\nUpdated to Tomcat 11.0.10\n- CVE-2025-48989: Fixed \u0027MadeYouReset\u0027 DoS in HTTP/2 due to client triggered stream reset (bsc#1243895)\n  \nOther fixes:\n  * Catalina\n    + Fix: Fix bloom filter population for archive indexing when using a\n      packed WAR containing one or more JAR files. (markt)\n  * Coyote\n    + Fix: 69748: Add missing call to set keep-alive timeout when using\n      HTTP/1.1 following an async request, which was present for AJP.\n      (remm/markt)\n    + Fix: 69762: Fix possible overflow during HPACK decoding of integers.\n      Note that the maximum permitted value of an HPACK decoded integer is\n      Integer.MAX_VALUE. (markt)\n    + Fix: Update the HTTP/2 overhead documentation - particularly the code\n      comments - to reflect the deprecation of the PRIORITY frame and\n      clarify that a stream reset always triggers an overhead increase.\n      (markt)\n  * Cluster\n    + Update: Add enableStatistics configuration attribute for the\n      DeltaManager, defaulting to true. (remm)\n  * WebSocket\n    + Fix: Align the WebSocket extension handling for WebSocket client\n      connections with WebSocket server connections. The WebSocket client\n      now only includes an extension requested by an endpoint in the\n      opening handshake if the WebSocket client supports that extension.\n      (markt)\n  * Web applications\n    + Fix: Manager and Host Manager. Provide the Manager and Host Manager\n      web applications with a dedicated favicon file rather than using the\n      one from the ROOT web application which might not be present or may\n      represent something entirely different. Pull requests #876 and #878\n      by Simon Arame.\n  * Other\n    + Update: Update Checkstyle to 10.26.1. (markt)\n    + Add: Improvements to French translations. (remm)\n    + Add: Improvements to Japanese translations by tak7iji. (markt)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-2992,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2992,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2992,openSUSE-SLE-15.6-2025-2992",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02992-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:02992-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502992-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:02992-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2025-August/041365.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1243895",
        "url": "https://bugzilla.suse.com/1243895"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-48989 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-48989/"
      }
    ],
    "title": "Security update for tomcat11",
    "tracking": {
      "current_release_date": "2025-08-27T11:57:03Z",
      "generator": {
        "date": "2025-08-27T11:57:03Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:02992-1",
      "initial_release_date": "2025-08-27T11:57:03Z",
      "revision_history": [
        {
          "date": "2025-08-27T11:57:03Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat11-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-doc-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-doc-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-doc-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-embed-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-embed-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-embed-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-jsvc-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-lib-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-lib-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-lib-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
                "product": {
                  "name": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
                  "product_id": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.6",
                "product": {
                  "name": "openSUSE Leap 15.6",
                  "product_id": "openSUSE Leap 15.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-lib-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-lib-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-lib-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-lib-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-doc-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-doc-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-doc-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-embed-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-embed-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-embed-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-jsvc-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-jsvc-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-lib-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-lib-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-lib-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch as component of openSUSE Leap 15.6",
          "product_id": "openSUSE Leap 15.6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
        },
        "product_reference": "tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-48989",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-48989"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-doc-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-embed-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
          "openSUSE Leap 15.6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-48989",
          "url": "https://www.suse.com/security/cve/CVE-2025-48989"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243888 for CVE-2025-48989",
          "url": "https://bugzilla.suse.com/1243888"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243895 for CVE-2025-48989",
          "url": "https://bugzilla.suse.com/1243895"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-doc-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-embed-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-doc-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-embed-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-jsvc-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-lib-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch",
            "openSUSE Leap 15.6:tomcat11-webapps-11.0.10-150600.13.9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-08-27T11:57:03Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-48989"
    }
  ]
}

CVE-2025-48989 (GCVE-0-2025-48989)

Vulnerability from cvelistv5

Published

2025-08-13 12:11

Modified

2025-08-13 19:56

Severity ?

CWE

CWE-404 - Improper Resource Shutdown or Release

Summary

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

References

▼	URL	Tags
	https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Version: 11.0.0-M1 ≤ 11.0.9 Version: 10.1.0-M1 ≤ 10.1.43 Version: 9.0.0.M1 ≤ 9.0.107

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-48989",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T18:37:15.707400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T19:56:35.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.9",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.43",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.107",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "unknown",
              "version": "8.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "CWE-404 Improper Resource Shutdown or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T12:11:26.124Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: h2 DoS - Made You Reset",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-48989",
    "datePublished": "2025-08-13T12:11:26.124Z",
    "dateReserved": "2025-05-29T15:25:37.243Z",
    "dateUpdated": "2025-08-13T19:56:35.999Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted