Updated: 2025-08-20 02:06:00.995065
Description:
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 4.3 |
| CVSS Version 3.x | HIGH | 7.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 10 ELS | tomcat9 | 9.0.31 | 7.5 | HIGH | Already Fixed | 2025-10-23 14:58:12 | ||
| Ubuntu 16.04 ELS | tomcat7 | 7.0.68-1 | 7.5 | HIGH | Not Vulnerable | 2024-08-22 17:29:33 | ||
| Ubuntu 16.04 ELS | tomcat8 | 8.0.32-1 | 7.5 | HIGH | Not Vulnerable | 2024-08-22 17:29:32 | ||
| Ubuntu 18.04 ELS | tomcat9 | 9.0.16-3 | 7.5 | HIGH | Already Fixed | 2023-06-02 09:09:42 | ||
| Ubuntu 18.04 ELS | tomcat8 | 8.5.39-1 | 7.5 | HIGH | Released | CLSA-2023:1687469807 | 2023-06-22 21:16:27 |