Security update for tomcat
This update for tomcat fixes the following issues Update to Tomcat 9.0.118: - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163). - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165). - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145). - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166). - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167). - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168). Changes: * Catalina + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl) + Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt) + Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt) + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm) + Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt) + Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm) + Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt) + Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis) + Fix: Update the Windows authentication (kerberos) documentation to reflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt) + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt) + Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a case insensitive manner. (markt) + Fix: Correct the handling of invalid users with DIGEST authentication. (markt) + Fix: Ensure RealmBase finds all matching extension based security constraints. (markt) * Coyote + Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt) + Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt) + Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt) + Fix: Consistently reject URIs containing NULL bytes when normalizing. + Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt) + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt) + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt) + Fix: Free private keys after use in FFM based connector configuration. + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt) + Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt) + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt) + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt) + Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + Fix: Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt) + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) * WebSocket + Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication. * Other +
AI Analysis
Technical Summary
The update to Tomcat 9.0.118 resolves seven distinct security vulnerabilities: CVE-2026-41284 (unbounded read in WebDAV LOCK and PROPFIND), CVE-2026-41293 (lack of validation in HTTP/2 request headers), CVE-2026-42498 (exposure of WebSocket authentication headers), CVE-2026-43512 (digest authenticator authenticates unknown users), CVE-2026-43513 (LockOutRealm treats user names as case-sensitive incorrectly), CVE-2026-43514 (AJP secret compared in non-constant time), and CVE-2026-43515 (security constraints not correctly applied). These fixes address both security and functional issues in the Catalina, Coyote, and WebSocket components of Tomcat. The update also introduces new configuration parameters and refactors code to improve security posture and compliance with relevant RFCs.
Potential Impact
The vulnerabilities fixed in this update could allow attackers to exploit unbounded reads, bypass authentication mechanisms, expose sensitive authentication headers, and circumvent security constraints. These issues collectively pose a high security risk by potentially enabling unauthorized access or denial of service conditions. The update mitigates these risks by correcting authentication logic, improving header validation, and enforcing security constraints properly.
Mitigation Recommendations
A security update is available in Tomcat version 9.0.118 that addresses these vulnerabilities. Users should upgrade to this version to apply the official fixes. No additional mitigation steps are required beyond applying this update.
Security update for tomcat
Description
This update for tomcat fixes the following issues Update to Tomcat 9.0.118: - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163). - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165). - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145). - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166). - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167). - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168). Changes: * Catalina + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl) + Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt) + Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt) + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm) + Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt) + Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm) + Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt) + Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis) + Fix: Update the Windows authentication (kerberos) documentation to reflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt) + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt) + Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a case insensitive manner. (markt) + Fix: Correct the handling of invalid users with DIGEST authentication. (markt) + Fix: Ensure RealmBase finds all matching extension based security constraints. (markt) * Coyote + Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt) + Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt) + Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt) + Fix: Consistently reject URIs containing NULL bytes when normalizing. + Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt) + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt) + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt) + Fix: Free private keys after use in FFM based connector configuration. + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt) + Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt) + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt) + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt) + Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + Fix: Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt) + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) * WebSocket + Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication. * Other +
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The update to Tomcat 9.0.118 resolves seven distinct security vulnerabilities: CVE-2026-41284 (unbounded read in WebDAV LOCK and PROPFIND), CVE-2026-41293 (lack of validation in HTTP/2 request headers), CVE-2026-42498 (exposure of WebSocket authentication headers), CVE-2026-43512 (digest authenticator authenticates unknown users), CVE-2026-43513 (LockOutRealm treats user names as case-sensitive incorrectly), CVE-2026-43514 (AJP secret compared in non-constant time), and CVE-2026-43515 (security constraints not correctly applied). These fixes address both security and functional issues in the Catalina, Coyote, and WebSocket components of Tomcat. The update also introduces new configuration parameters and refactors code to improve security posture and compliance with relevant RFCs.
Potential Impact
The vulnerabilities fixed in this update could allow attackers to exploit unbounded reads, bypass authentication mechanisms, expose sensitive authentication headers, and circumvent security constraints. These issues collectively pose a high security risk by potentially enabling unauthorized access or denial of service conditions. The update mitigates these risks by correcting authentication logic, improving header validation, and enforcing security constraints properly.
Mitigation Recommendations
A security update is available in Tomcat version 9.0.118 that addresses these vulnerabilities. Users should upgrade to this version to apply the official fixes. No additional mitigation steps are required beyond applying this update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- SUSE Product Security Team
- Advisory Id
- SUSE-SU-2026:2299-1
- Cve Count
- 7
- Additional Cves
- ["CVE-2026-41293","CVE-2026-42498","CVE-2026-43512","CVE-2026-43513","CVE-2026-43514","CVE-2026-43515"]
- Cvss Version
- null
Threat ID: 6a27e9a88dd33fbd8516f3d4
Added to database: 6/9/2026, 10:23:36 AM
Last enriched: 6/9/2026, 10:52:04 AM
Last updated: 6/9/2026, 12:32:20 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.