# Security update for tomcat

Announcement ID: SUSE-SU-2025:0058-1  
Release Date: 2025-01-10T07:35:34Z  
Rating: important  
References:

  * bsc#1233435
  * bsc#1234663
  * bsc#1234664

  
Cross-References:

  * CVE-2024-50379
  * CVE-2024-52317
  * CVE-2024-54677

  
CVSS scores:

  * CVE-2024-50379 ( SUSE ):  8.5
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2024-50379 ( SUSE ):  7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-50379 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2024-52317 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2024-52317 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-52317 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-54677 ( SUSE ):  8.7
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2024-54677 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-54677 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * openSUSE Leap 15.6
  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server 15 SP5 LTSS
  * SUSE Linux Enterprise Server 15 SP6
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP6
  * SUSE Manager Server 4.3
  * Web and Scripting Module 15-SP6

  
  
An update that solves three vulnerabilities can now be installed.

## Description:

This update for tomcat fixes the following issues:

Update to Tomcat 9.0.98

  * Fixed CVEs:
  * CVE-2024-54677: DoS in examples web application (bsc#1234664)
  * CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
  * CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
  * Catalina
  * Add: Add option to serve resources from subpath only with WebDAV Servlet
    like with DefaultServlet. (michaelo)
  * Fix: Add special handling for the protocols attribute of SSLHostConfig in
    storeconfig. (remm)
  * Fix: 69442: Fix case sensitive check on content-type when parsing request
    parameters. (remm)
  * Code: Refactor duplicate code for extracting media type and subtype from
    content-type into a single method. (markt)
  * Fix: Compatibility of generated embedded code with components where
    constructors or property related methods throw a checked exception. (remm)
  * Fix: The previous fix for inconsistent resource metadata during concurrent
    reads and writes was incomplete. (markt)
  * Fix: 69444: Ensure that the javax.servlet.error.message request attribute is
    set when an application defined error page is called. (markt)
  * Fix: Avoid quotes for numeric values in the JSON generated by the status
    servlet. (remm)
  * Add: Add strong ETag support for the WebDAV and default servlet, which can
    be enabled by using the useStrongETags init parameter with a value set to
    true. The ETag generated will be a SHA-1 checksum of the resource content.
    (remm)
  * Fix: Use client locale for directory listings. (remm)
  * Fix: 69439: Improve the handling of multiple Cache-Control headers in the
    ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
  * Fix: 69447: Update the support for caching classes the web application class
    loader cannot find to take account of classes loaded from external
    repositories. Prior to this fix, these classes could be incorrectly marked
    as not found. (markt)
  * Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
    users will not be removed and any header present in a HEAD request will also
    be present in the equivalent GET request. There may be some headers, as per
    RFC 9110, section 9.3.2, that are present in a GET request that are not
    present in the equivalent HEAD request. (markt)
  * Fix: 69471: Log instances of CloseNowException caught by
    ApplicationDispatcher.invoke() at debug level rather than error level as
    they are very likely to have been caused by a client disconnection or
    similar I/O issue. (markt)
  * Add: Add a test case for the fix for 69442. Also refactor references to
    application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
    (markt)
  * Fix: 69476: Catch possible ISE when trying to report PUT failure in the
    DefaultServlet. (remm)
  * Add: Add support for RateLimit header fields for HTTP (draft) in the
    RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
  * Add: #787: Add regression tests for 69478. Pull request provided by Thomas
    Krisch. (markt)
  * Fix: The default servlet now rejects HTTP range requests when two or more of
    the requested ranges overlap. Based on pull request #782 provided by Chenjp.
    (markt)
  * Fix: Enhance Content-Range verification for partial PUT requests handled by
    the default servlet. Provided by Chenjp in pull request #778. (markt)
  * Fix: Harmonize DataSourceStore lookup in the global resources to optionally
    avoid the comp/env prefix which is usually not used there. (remm)
  * Fix: As required by RFC 9110, the HTTP Range header will now only be
    processed for GET requests. Based on pull request #790 provided by Chenjp.
    (markt)
  * Fix: Deprecate the useAcceptRanges initialisation parameter for the default
    servlet. It will be removed in Tomcat 12 onwards where it will effectively
    be hard coded to true. (markt)
  * Add: Add DataSource based property storage for the WebdavServlet. (remm)
  * Coyote
  * Fix: Align encodedSolidusHandling with the Servlet specification. If the
    pass-through mode is used, any %25 sequences will now also be passed through
    to avoid errors and/or corruption when the application decodes the path.
    (markt)
  * Jasper
  * Fix: Further optimise EL evaluation of method parameters. Patch provided by
    Paolo B. (markt)
  * Fix: Follow-up to the fix for 69381. Apply the optimisation for method
    lookup performance in expression language to an additional location. (markt)
  * Web applications
  * Fix: Documentation. Remove references to the ResourceParams element. Support
    for ResourceParams was removed in Tomcat 5.5.x. (markt)
  * Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter. The
    attribute is internalProxies rather than allowedInternalProxies. Pull
    request #786 (markt)
  * Fix: Examples. Fix broken links when Servlet Request Info example is called
    via a URL that includes a pathInfo component. (markt)
  * Fix: Examples. Expand the obfuscation of session cookie values in the
    request header example to JSON responses. (markt)
  * Add: Examples. Add the ability to delete session attributes in the servlet
    session example. (markt)
  * Add: Examples. Add a hard coded limit of 10 attributes per session for the
    servlet session example. (markt)
  * Add: Examples. Add the ability to delete session attributes and add a hard
    coded limit of 10 attributes per session for the JSP form authentication
    example. (markt)
  * Add: Examples. Limit the shopping cart example to only allow adding the pre-
    defined items to the cart. (markt)
  * Fix: Examples. Remove JSP calendar example. (markt)
  * Other
  * Fix: 69465: Fix warnings during native image compilation using the Tomcat
    embedded JARs. (markt)
  * Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
  * Update: Update EasyMock to 5.5.0. (markt)
  * Update: Update Checkstyle to 10.20.2. (markt)
  * Update: Update BND to 7.1.0. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Korean translations. (markt)
  * Add: Improvements to Chinese translations. (markt)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.6  
    zypper in -t patch openSUSE-SLE-15.6-2025-58=1

  * Web and Scripting Module 15-SP6  
    zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-58=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-58=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-58=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-58=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-58=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-58=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-58=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-58=1

  * SUSE Linux Enterprise Server 15 SP5 LTSS  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-58=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-58=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-58=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP5  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-58=1

  * SUSE Manager Server 4.3  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-58=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2025-58=1

## Package List:

  * openSUSE Leap 15.6 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-docs-webapp-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-embed-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
    * tomcat-jsvc-9.0.98-150200.74.1
    * tomcat-javadoc-9.0.98-150200.74.1
  * Web and Scripting Module 15-SP6 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Manager Server 4.3 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1
  * SUSE Enterprise Storage 7.1 (noarch)
    * tomcat-jsp-2_3-api-9.0.98-150200.74.1
    * tomcat-servlet-4_0-api-9.0.98-150200.74.1
    * tomcat-admin-webapps-9.0.98-150200.74.1
    * tomcat-lib-9.0.98-150200.74.1
    * tomcat-9.0.98-150200.74.1
    * tomcat-webapps-9.0.98-150200.74.1
    * tomcat-el-3_0-api-9.0.98-150200.74.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-50379.html
  * https://www.suse.com/security/cve/CVE-2024-52317.html
  * https://www.suse.com/security/cve/CVE-2024-54677.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1233435
  * https://bugzilla.suse.com/show_bug.cgi?id=1234663
  * https://bugzilla.suse.com/show_bug.cgi?id=1234664