ALAS2TOMCAT9-2025-021

References: CVE-2025-52434  CVE-2025-52520  CVE-2025-53506 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 9.0.107, which fixes the issue. (CVE-2025-52434)

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. (CVE-2025-52520)

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. (CVE-2025-53506)

Issue Correction:
Run yum update tomcat or yum update --advisory ALAS2TOMCAT9-2025-021 to update your system.

New Packages:

noarch:
    tomcat-9.0.107-1.amzn2.0.1.noarch
    tomcat-admin-webapps-9.0.107-1.amzn2.0.1.noarch
    tomcat-docs-webapp-9.0.107-1.amzn2.0.1.noarch
    tomcat-jsvc-9.0.107-1.amzn2.0.1.noarch
    tomcat-jsp-2.3-api-9.0.107-1.amzn2.0.1.noarch
    tomcat-lib-9.0.107-1.amzn2.0.1.noarch
    tomcat-servlet-4.0-api-9.0.107-1.amzn2.0.1.noarch
    tomcat-el-3.0-api-9.0.107-1.amzn2.0.1.noarch
    tomcat-webapps-9.0.107-1.amzn2.0.1.noarch

src:
    tomcat-9.0.107-1.amzn2.0.1.src