Red Hat Product Errata RHSA-2025:14177 - Security Advisory
Issued:
2025-08-20
Updated:
2025-08-20

RHSA-2025:14177 - Security Advisory

Synopsis

Important: tomcat security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for tomcat is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

  • tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
  • tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
  • apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
  • tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
  • tomcat: Apache Tomcat denial of service (CVE-2025-52520)
  • tomcat: Apache Tomcat denial of service (CVE-2025-52434)
  • tomcat: Apache Tomcat denial of service (CVE-2025-53506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2373015 - CVE-2025-48988 tomcat: Apache Tomcat DoS in multipart upload
  • BZ - 2373018 - CVE-2025-49125 tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources
  • BZ - 2373020 - CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers
  • BZ - 2373309 - CVE-2025-48989 tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames
  • BZ - 2379374 - CVE-2025-52520 tomcat: Apache Tomcat denial of service
  • BZ - 2379382 - CVE-2025-52434 tomcat: Apache Tomcat denial of service
  • BZ - 2379386 - CVE-2025-53506 tomcat: Apache Tomcat denial of service

Red Hat Enterprise Linux for x86_64 8

SRPM
tomcat-9.0.87-1.el8_10.6.src.rpm SHA-256: 5357a3e492ba422f5e2da3f53466af26a14086b624b39df838c78a62d432cc04
x86_64
tomcat-9.0.87-1.el8_10.6.noarch.rpm SHA-256: fbe049da86787e815df5e77e8fb877ce70e3f4b69711d2a0476bcb8738ecbed3
tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 9ad71c9b775a017c3e899cc1077d2f4f12b9fa92f3e8aa71e2f9024769182570
tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 778ba38ec9ff97fb1cb6c195c5627036a287353807d3fefc91abf3ddaf1d2c81
tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 72f4588fdd7c1874b6ced9acb84c866581d7e88e1bcc326e23d6265efa548522
tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 240d770b1e3938ec4e9503e4dd95c86766c802bb51c16f84cd3190ed8d48fa6a
tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm SHA-256: c5a2e233cdc6ac33ec8ccb06c6d31c0e48c382c5853e07a9965f4e6345141960
tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: d5e76b3fa412ab5a5b38c8daa923751d29ffcdf97a2ed2a9895d5fca64e2154f
tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 20e9ca71bf7f66247c4d14f41b758a43c8a5cecc7f9abb987a7f3e5640aee218

Red Hat Enterprise Linux for IBM z Systems 8

SRPM
tomcat-9.0.87-1.el8_10.6.src.rpm SHA-256: 5357a3e492ba422f5e2da3f53466af26a14086b624b39df838c78a62d432cc04
s390x
tomcat-9.0.87-1.el8_10.6.noarch.rpm SHA-256: fbe049da86787e815df5e77e8fb877ce70e3f4b69711d2a0476bcb8738ecbed3
tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 9ad71c9b775a017c3e899cc1077d2f4f12b9fa92f3e8aa71e2f9024769182570
tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 778ba38ec9ff97fb1cb6c195c5627036a287353807d3fefc91abf3ddaf1d2c81
tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 72f4588fdd7c1874b6ced9acb84c866581d7e88e1bcc326e23d6265efa548522
tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 240d770b1e3938ec4e9503e4dd95c86766c802bb51c16f84cd3190ed8d48fa6a
tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm SHA-256: c5a2e233cdc6ac33ec8ccb06c6d31c0e48c382c5853e07a9965f4e6345141960
tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: d5e76b3fa412ab5a5b38c8daa923751d29ffcdf97a2ed2a9895d5fca64e2154f
tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 20e9ca71bf7f66247c4d14f41b758a43c8a5cecc7f9abb987a7f3e5640aee218

Red Hat Enterprise Linux for Power, little endian 8

SRPM
tomcat-9.0.87-1.el8_10.6.src.rpm SHA-256: 5357a3e492ba422f5e2da3f53466af26a14086b624b39df838c78a62d432cc04
ppc64le
tomcat-9.0.87-1.el8_10.6.noarch.rpm SHA-256: fbe049da86787e815df5e77e8fb877ce70e3f4b69711d2a0476bcb8738ecbed3
tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 9ad71c9b775a017c3e899cc1077d2f4f12b9fa92f3e8aa71e2f9024769182570
tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 778ba38ec9ff97fb1cb6c195c5627036a287353807d3fefc91abf3ddaf1d2c81
tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 72f4588fdd7c1874b6ced9acb84c866581d7e88e1bcc326e23d6265efa548522
tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 240d770b1e3938ec4e9503e4dd95c86766c802bb51c16f84cd3190ed8d48fa6a
tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm SHA-256: c5a2e233cdc6ac33ec8ccb06c6d31c0e48c382c5853e07a9965f4e6345141960
tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: d5e76b3fa412ab5a5b38c8daa923751d29ffcdf97a2ed2a9895d5fca64e2154f
tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 20e9ca71bf7f66247c4d14f41b758a43c8a5cecc7f9abb987a7f3e5640aee218

Red Hat Enterprise Linux for ARM 64 8

SRPM
tomcat-9.0.87-1.el8_10.6.src.rpm SHA-256: 5357a3e492ba422f5e2da3f53466af26a14086b624b39df838c78a62d432cc04
aarch64
tomcat-9.0.87-1.el8_10.6.noarch.rpm SHA-256: fbe049da86787e815df5e77e8fb877ce70e3f4b69711d2a0476bcb8738ecbed3
tomcat-admin-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 9ad71c9b775a017c3e899cc1077d2f4f12b9fa92f3e8aa71e2f9024769182570
tomcat-docs-webapp-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 778ba38ec9ff97fb1cb6c195c5627036a287353807d3fefc91abf3ddaf1d2c81
tomcat-el-3.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 72f4588fdd7c1874b6ced9acb84c866581d7e88e1bcc326e23d6265efa548522
tomcat-jsp-2.3-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 240d770b1e3938ec4e9503e4dd95c86766c802bb51c16f84cd3190ed8d48fa6a
tomcat-lib-9.0.87-1.el8_10.6.noarch.rpm SHA-256: c5a2e233cdc6ac33ec8ccb06c6d31c0e48c382c5853e07a9965f4e6345141960
tomcat-servlet-4.0-api-9.0.87-1.el8_10.6.noarch.rpm SHA-256: d5e76b3fa412ab5a5b38c8daa923751d29ffcdf97a2ed2a9895d5fca64e2154f
tomcat-webapps-9.0.87-1.el8_10.6.noarch.rpm SHA-256: 20e9ca71bf7f66247c4d14f41b758a43c8a5cecc7f9abb987a7f3e5640aee218

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.