rpms/apache-tomcat-9
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][CRITICAL] apache-tomcat-9 9.0.108: 9 CVE require triage #1

New issue
Closed
opened 2026-04-29 04:36:40 +03:00 by sbelikov · 1 comment
sbelikov commented 2026-04-29 04:36:40 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: apache-tomcat-9
  • Version: 9.0.108
  • EVR: 9.0.108-1
  • Category: web
  • Policy class: leaf
  • NiceOS policy class: -
  • Owner: network-team
  • Severity: CRITICAL
  • Max CVSS: 9.6
  • CVE count: 9

LLM recommendation / Рекомендация LLM

RU

Критическая серия уязвимостей в Apache Tomcat 9.0.108, включая инъекцию ANSI-последовательностей в консоль (CVE-2025-55754), ошибки валидации хостов (CVE-2025-66614), проблемы аутентификации по клиентскому сертификату (CVE-2026-29145), трассировку путей (CVE-2025-55752), уязвимости OCSP (CVE-2026-24734), HTTP-смuggling (CVE-2026-24880), Padding Oracle (CVE-2026-29146) и утечки токенов в логах (CVE-2026-34483, CVE-2026-34487).

Немедленно обновить пакет apache-tomcat-9 до версии 9.0.116 или выше. Если обновление невозможно в краткосрочной перспективе, временно отключить PUT-запросы, ограничить доступ к консоли и рассмотреть возможность использования WAF для фильтрации вредоносных запросов.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 9.0.116

Проверки: 1. Проверить версию установленного пакета: rpm -q apache-tomcat-9. 2. Проверить наличие патчей в логах обновлений. 3. Протестировать на воспроизведение CVE-2025-55754 (инъекция ANSI) в тестовой среде с консолью. 4. Проверить обработку PUT-запросов и нормализацию URL.

Риски: Полный контроль над сервером (RCE) через трассировку путей и PUT-запросы, манипуляция консолью и буфером обмена, обход аутентификации по сертификатам, утечка bearer-токенов Kubernetes, обход проверки отзыва сертификатов (OCSP).

EN

Critical series of vulnerabilities in Apache Tomcat 9.0.108, including ANSI escape sequence injection (CVE-2025-55754), host validation errors (CVE-2025-66614), client certificate authentication issues (CVE-2026-29145), path traversal (CVE-2025-55752), OCSP vulnerabilities (CVE-2026-24734), HTTP request smuggling (CVE-2026-24880), Padding Oracle (CVE-2026-29146), and token leakage in logs (CVE-2026-34483, CVE-2026-34487).

Immediately update the apache-tomcat-9 package to version 9.0.116 or higher. If an immediate update is not possible, temporarily disable PUT requests, restrict console access, and consider using a WAF to filter malicious requests.

Recommended action: update_package

Target version hint: 9.0.116

Tests: 1. Check installed package version: rpm -q apache-tomcat-9. 2. Verify patch presence in update logs. 3. Test CVE-2025-55754 (ANSI injection) reproduction in a test environment with a console. 4. Verify handling of PUT requests and URL normalization.

Risks: Full server control (RCE) via path traversal and PUT requests, console and clipboard manipulation, bypassing certificate authentication, bearer token leakage, bypassing certificate revocation checks (OCSP).

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2025-55754 CRITICAL 9.6 cpe-range needs_triage package version is inside version range
CVE-2025-66614 CRITICAL 9.1 cpe-range needs_triage package version is inside version range
CVE-2026-29145 CRITICAL 9.1 cpe-range needs_triage package version is inside version range
CVE-2025-55752 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-24734 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-24880 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-29146 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-34483 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-34487 HIGH 7.5 cpe-range needs_triage package version is inside version range

Descriptions

CVE-2025-55754

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.

Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.

The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

CVE-2025-66614

Improper Input Validation vulnerability.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.

The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.

The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

CVE-2026-29145

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

CVE-2025-55752

Relative Path Traversal vulnerability in Apache Tomcat.

The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.

The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

CVE-2026-24734

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.

When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.

The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.

Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.

Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

CVE-2026-24880

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

CVE-2026-29146

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

CVE-2026-34483

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

CVE-2026-34487

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-55752",
    "CVE-2025-55754",
    "CVE-2025-66614",
    "CVE-2026-24734",
    "CVE-2026-24880",
    "CVE-2026-29145",
    "CVE-2026-29146",
    "CVE-2026-34483",
    "CVE-2026-34487"
  ],
  "fingerprint": "2bc85ed2f3b905087797",
  "generated_at": "2026-04-29T01:36:40Z",
  "package": "apache-tomcat-9",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "9.0.108"
}
<!-- niceos-cve-fingerprint: 2bc85ed2f3b905087797 --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `apache-tomcat-9` - Version: `9.0.108` - EVR: `9.0.108-1` - Category: `web` - Policy class: `leaf` - NiceOS policy class: `-` - Owner: `network-team` - Severity: `CRITICAL` - Max CVSS: `9.6` - CVE count: `9` ## LLM recommendation / Рекомендация LLM ### RU Критическая серия уязвимостей в Apache Tomcat 9.0.108, включая инъекцию ANSI-последовательностей в консоль (CVE-2025-55754), ошибки валидации хостов (CVE-2025-66614), проблемы аутентификации по клиентскому сертификату (CVE-2026-29145), трассировку путей (CVE-2025-55752), уязвимости OCSP (CVE-2026-24734), HTTP-смuggling (CVE-2026-24880), Padding Oracle (CVE-2026-29146) и утечки токенов в логах (CVE-2026-34483, CVE-2026-34487). Немедленно обновить пакет apache-tomcat-9 до версии 9.0.116 или выше. Если обновление невозможно в краткосрочной перспективе, временно отключить PUT-запросы, ограничить доступ к консоли и рассмотреть возможность использования WAF для фильтрации вредоносных запросов. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `9.0.116` **Проверки:** 1. Проверить версию установленного пакета: rpm -q apache-tomcat-9. 2. Проверить наличие патчей в логах обновлений. 3. Протестировать на воспроизведение CVE-2025-55754 (инъекция ANSI) в тестовой среде с консолью. 4. Проверить обработку PUT-запросов и нормализацию URL. **Риски:** Полный контроль над сервером (RCE) через трассировку путей и PUT-запросы, манипуляция консолью и буфером обмена, обход аутентификации по сертификатам, утечка bearer-токенов Kubernetes, обход проверки отзыва сертификатов (OCSP). ### EN Critical series of vulnerabilities in Apache Tomcat 9.0.108, including ANSI escape sequence injection (CVE-2025-55754), host validation errors (CVE-2025-66614), client certificate authentication issues (CVE-2026-29145), path traversal (CVE-2025-55752), OCSP vulnerabilities (CVE-2026-24734), HTTP request smuggling (CVE-2026-24880), Padding Oracle (CVE-2026-29146), and token leakage in logs (CVE-2026-34483, CVE-2026-34487). Immediately update the apache-tomcat-9 package to version 9.0.116 or higher. If an immediate update is not possible, temporarily disable PUT requests, restrict console access, and consider using a WAF to filter malicious requests. **Recommended action:** `update_package` **Target version hint:** `9.0.116` **Tests:** 1. Check installed package version: rpm -q apache-tomcat-9. 2. Verify patch presence in update logs. 3. Test CVE-2025-55754 (ANSI injection) reproduction in a test environment with a console. 4. Verify handling of PUT requests and URL normalization. **Risks:** Full server control (RCE) via path traversal and PUT requests, console and clipboard manipulation, bypassing certificate authentication, bearer token leakage, bypassing certificate revocation checks (OCSP). ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-55754 | CRITICAL | 9.6 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-66614 | CRITICAL | 9.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-29145 | CRITICAL | 9.1 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-55752 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-24734 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-24880 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-29146 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-34483 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-34487 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-55754 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. ### CVE-2025-66614 Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue. ### CVE-2026-29145 CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. ### CVE-2025-55752 Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. ### CVE-2026-24734 Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue. ### CVE-2026-24880 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue. ### CVE-2026-29146 Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. ### CVE-2026-34483 Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. ### CVE-2026-34487 Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-55752", "CVE-2025-55754", "CVE-2025-66614", "CVE-2026-24734", "CVE-2026-24880", "CVE-2026-29145", "CVE-2026-29146", "CVE-2026-34483", "CVE-2026-34487" ], "fingerprint": "2bc85ed2f3b905087797", "generated_at": "2026-04-29T01:36:40Z", "package": "apache-tomcat-9", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "9.0.108" } ```
sbelikov commented 2026-04-29 20:57:40 +03:00
Author
Owner
Copy link

Triage result for NiceOS 5.2:

apache-tomcat-9 9.0.108-1 is affected by the CVEs listed in this issue.

The target version hint 9.0.116 is not sufficient for the full CVE set. It fixes several items in the chain, but CVE-2026-34483 and CVE-2026-34487 affect Tomcat 9.0.116 and are fixed in 9.0.117.

Resolution plan:

  • Keep the package in the Apache Tomcat 9 stable series: 9.0.x.
  • Do not migrate this package to Tomcat 10/11 for this security update; that would require Jakarta/API compatibility review.
  • Update target: apache-tomcat-9 9.0.108 → 9.0.117.
  • Do not backport individual patches unless the 9.0.117 update fails, because upstream provides a security patch release in the same 9.0.x line.

CVE status with 9.0.117:

  • CVE-2025-55754: fixed in 9.0.109.
  • CVE-2025-55752: fixed in 9.0.109.
  • CVE-2025-66614: fixed in 9.0.113.
  • CVE-2026-24734: fixed in 9.0.115.
  • CVE-2026-24880: fixed in 9.0.116.
  • CVE-2026-29145: fixed in 9.0.116.
  • CVE-2026-29146: fixed in 9.0.116.
  • CVE-2026-34483: fixed in 9.0.117.
  • CVE-2026-34487: fixed in 9.0.117.

Additional note:

Updating to 9.0.117 also avoids follow-up issues fixed in the same Tomcat security wave, including fixes related to incomplete or follow-up handling around earlier 9.0.116 security changes.

Validation before closing:

rpm -q apache-tomcat-9
systemctl daemon-reload
systemctl start tomcat || systemctl start apache-tomcat-9
systemctl status tomcat --no-pager || systemctl status apache-tomcat-9 --no-pager
curl -I http://127.0.0.1:8080/ || true
grep -R "RewriteValve\|JsonAccessLogValve\|EncryptInterceptor\|CloudMembership" /etc/tomcat* /usr/share/tomcat*/conf 2>/dev/null || true
Triage result for NiceOS 5.2: `apache-tomcat-9 9.0.108-1` is affected by the CVEs listed in this issue. The target version hint `9.0.116` is not sufficient for the full CVE set. It fixes several items in the chain, but `CVE-2026-34483` and `CVE-2026-34487` affect Tomcat `9.0.116` and are fixed in `9.0.117`. Resolution plan: - Keep the package in the Apache Tomcat 9 stable series: `9.0.x`. - Do not migrate this package to Tomcat 10/11 for this security update; that would require Jakarta/API compatibility review. - Update target: `apache-tomcat-9 9.0.108 → 9.0.117`. - Do not backport individual patches unless the `9.0.117` update fails, because upstream provides a security patch release in the same `9.0.x` line. CVE status with `9.0.117`: - `CVE-2025-55754`: fixed in `9.0.109`. - `CVE-2025-55752`: fixed in `9.0.109`. - `CVE-2025-66614`: fixed in `9.0.113`. - `CVE-2026-24734`: fixed in `9.0.115`. - `CVE-2026-24880`: fixed in `9.0.116`. - `CVE-2026-29145`: fixed in `9.0.116`. - `CVE-2026-29146`: fixed in `9.0.116`. - `CVE-2026-34483`: fixed in `9.0.117`. - `CVE-2026-34487`: fixed in `9.0.117`. Additional note: Updating to `9.0.117` also avoids follow-up issues fixed in the same Tomcat security wave, including fixes related to incomplete or follow-up handling around earlier `9.0.116` security changes. Validation before closing: ```bash rpm -q apache-tomcat-9 systemctl daemon-reload systemctl start tomcat || systemctl start apache-tomcat-9 systemctl status tomcat --no-pager || systemctl status apache-tomcat-9 --no-pager curl -I http://127.0.0.1:8080/ || true grep -R "RewriteValve\|JsonAccessLogValve\|EncryptInterceptor\|CloudMembership" /etc/tomcat* /usr/share/tomcat*/conf 2>/dev/null || true
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
update-apache-tomcat-9-9.0.117
No results found.
Labels
Clear labels   
cve
Created by niceos_cve_create_issues.py

  
llm-analysis
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-critical
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
cve
llm-analysis
needs-triage
security
severity-critical
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/apache-tomcat-9#1
No description provided.