Amazon Linux 2023 Security Advisory: ALAS2023-2025-1093
Advisory Released Date: 2025-08-08
Advisory Updated Date: 2025-08-27
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. (CVE-2025-53506)
Session Fixation vulnerability in Apache Tomcat via rewrite valve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-55668)
Affected Packages:
tomcat10
Issue Correction:
Run dnf update tomcat10 --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1093 --releasever 2023.8.20250808 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
noarch:
tomcat10-webapps-10.1.43-1.amzn2023.0.1.noarch
tomcat10-servlet-6.0-api-10.1.43-1.amzn2023.0.1.noarch
tomcat10-10.1.43-1.amzn2023.0.1.noarch
tomcat10-docs-webapp-10.1.43-1.amzn2023.0.1.noarch
tomcat10-admin-webapps-10.1.43-1.amzn2023.0.1.noarch
tomcat10-el-5.0-api-10.1.43-1.amzn2023.0.1.noarch
tomcat10-jsp-3.1-api-10.1.43-1.amzn2023.0.1.noarch
tomcat10-lib-10.1.43-1.amzn2023.0.1.noarch
src:
tomcat10-10.1.43-1.amzn2023.0.1.src
2025-08-27: CVE-2025-55668 was added to this advisory.