Fwd: [thredds] [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

[Roy Mendelssohn - NOAA Federal]

Please see below and if possible update your tomcats.

Thanks,

-Roy

Begin forwarded message:

From: Jennifer Oxelson Ganter <oxe...@ucar.edu>

Subject: [thredds] Fwd: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

Date: April 28, 2025 at 1:22:03 PM PDT

To: THREDDS community <thr...@unidata.ucar.edu>

Hi all,

A couple of new Tomcat CVEs, including one of high severity, were just announced.  

---------- Forwarded message ---------
From: Mark Thomas <ma...@apache.org>
Date: Mon, Apr 28, 2025 at 1:14 PM
Subject: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: <anno...@apache.org>, anno...@tomcat.apache.org <anno...@tomcat.apache.org>, Tomcat Developers List <d...@tomcat.apache.org>

CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.5
Apache Tomcat 10.1.10 to 10.1.39
Apache Tomcat 9.0.76 to 9.0.102

Description:
Incorrect error handling for some invalid HTTP priority headers resulted
in incomplete clean-up of the failed request which created a memory
leak. A large number of such requests could trigger an
OutOfMemoryException resulting in a denial of service.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.6 or later
- Upgrade to Apache Tomcat 10.1.40 or later
- Upgrade to Apache Tomcat 9.0.104 or later

Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote
for the 9.0.103 release candidate did not pass. Therefore, although
users must download 9.0.104 to obtain a version that includes a fix for
this issue, version 9.0.103 is not included in the list of affected
versions.

Credit:
The vulnerability was identified by the Tomcat security team.

History:
2025-04-28 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

--

------------------------------------------------------------------------------------

Jennifer Oxelson Ganter                                       NSF Unidata

Software Engineer IV                                          P.O. Box 3000 

oxe...@ucar.edu                                       Boulder, CO 80307

------------------------------------------------------------------------------------

_______________________________________________
NOTE: All exchanges posted to Unidata maintained email lists are
recorded in the Unidata inquiry tracking system and made publicly
available through the web.  Users who post to any of the lists we
maintain are reminded to remove any personal information that they
do not want to be made public.


thredds mailing list
thr...@unidata.ucar.edu
For list information or to unsubscribe,  visit: https://www.unidata.ucar.edu/mailing_lists/