Detections
Analytics
RHEL 10 : tomcat9 (RHSA-2025:14178)
high Nessus Plugin ID 253047
Synopsis
The remote Red Hat host is missing one or more security updates for tomcat9.Description
The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:14178 advisory.Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.
Security Fix(es):
* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
* tomcat: http/2 MadeYouReset DoS attack through HTTP/2 control frames (CVE-2025-48989)
* tomcat: Apache Tomcat denial of service (CVE-2025-52520)
* tomcat: Apache Tomcat denial of service (CVE-2025-52434)
* tomcat: Apache Tomcat denial of service (CVE-2025-53506)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the RHEL tomcat9 package based on the guidance in RHSA-2025:14178.See Also
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=2373015
https://bugzilla.redhat.com/show_bug.cgi?id=2373018
https://bugzilla.redhat.com/show_bug.cgi?id=2373020
https://bugzilla.redhat.com/show_bug.cgi?id=2373309
https://bugzilla.redhat.com/show_bug.cgi?id=2379374
https://bugzilla.redhat.com/show_bug.cgi?id=2379382
https://bugzilla.redhat.com/show_bug.cgi?id=2379386
Plugin Details
Severity: High
ID: 253047
File Name: redhat-RHSA-2025-14178.nasl
Version: 1.1
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 8/20/2025
Updated: 8/20/2025
Supported Sensors: Continuous Assessment, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
Vendor
Vendor Severity: Important
CVSS v2
Risk Factor: High
Base Score: 7.1
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N
CVSS Score Source: CVE-2025-49125
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS v4
Risk Factor: High
Base Score: 8.9
Threat Score: 7.7
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVSS Score Source: CVE-2025-53506
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:tomcat9-webapps, p-cpe:/a:redhat:enterprise_linux:tomcat9-lib, p-cpe:/a:redhat:enterprise_linux:tomcat9-docs-webapp, p-cpe:/a:redhat:enterprise_linux:tomcat9-servlet-4.0-api, p-cpe:/a:redhat:enterprise_linux:tomcat9-admin-webapps, cpe:/o:redhat:enterprise_linux:10.0, p-cpe:/a:redhat:enterprise_linux:tomcat9-el-3.0-api, p-cpe:/a:redhat:enterprise_linux:tomcat9, p-cpe:/a:redhat:enterprise_linux:tomcat9-jsp-2.3-api
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/20/2025
Vulnerability Publication Date: 6/10/2025
Reference Information
CVE: CVE-2025-48976, CVE-2025-48988, CVE-2025-48989, CVE-2025-49125, CVE-2025-52434, CVE-2025-52520, CVE-2025-53506