==========================================================================
Ubuntu Security Notice USN-8417-1
June 10, 2026

tomcat9, tomcat10 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat10: Servlet and JSP engine
- tomcat9: Servlet and JSP engine

Details:

It was discovered that Tomcat did not properly limit the size of
WebDAV LOCK and PROPFIND request bodies. A remote attacker could
use this issue to cause Tomcat to consume excessive memory,
resulting in a denial of service. (CVE-2026-41284)

It was discovered that Tomcat incorrectly validated HTTP/2 header
fields. A remote attacker could use this issue to cause Tomcat to
crash or possibly execute arbitrary code. (CVE-2026-41293)

It was discovered that Tomcat did not properly clear HTTP
authentication headers during WebSocket connection upgrades and
redirects. A remote attacker could use this issue to obtain
sensitive credentials. (CVE-2026-42498)

It was discovered that Tomcat incorrectly handled digest
authentication. A remote attacker could possibly use this issue to
bypass authentication restrictions. (CVE-2026-43512)

It was discovered that Tomcat incorrectly handled case sensitivity
in LockOutRealm. A remote attacker could possibly use this issue to
bypass account lockout protections and obtain sensitive information.
(CVE-2026-43513)

It was discovered that Tomcat incorrectly handled authorization
when multiple method constraints defined the same HTTP method. A
remote attacker could possibly use this issue to bypass
authorization restrictions. (CVE-2026-43515)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  libtomcat10-embed-java          10.1.40-1ubuntu1.26.04.1
  libtomcat10-java                10.1.40-1ubuntu1.26.04.1
  libtomcat9-java                 9.0.115-1ubuntu0.1
  tomcat10                        10.1.40-1ubuntu1.26.04.1

Ubuntu 25.10
  libtomcat10-embed-java          10.1.40-1ubuntu1.25.10.1
  libtomcat10-java                10.1.40-1ubuntu1.25.10.1
  libtomcat9-java                 9.0.95-1ubuntu1.1
  tomcat10                        10.1.40-1ubuntu1.25.10.1

Ubuntu 24.04 LTS
  libtomcat10-embed-java          10.1.16-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  libtomcat10-java                10.1.16-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro
  libtomcat9-java                 9.0.70-2ubuntu0.1+esm3
                                  Available with Ubuntu Pro
  tomcat10                        10.1.16-1ubuntu0.1~esm4
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  libtomcat9-embed-java           9.0.58-1ubuntu0.2+esm4
                                  Available with Ubuntu Pro
  libtomcat9-java                 9.0.58-1ubuntu0.2+esm4
                                  Available with Ubuntu Pro
  tomcat9                         9.0.58-1ubuntu0.2+esm4
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  libtomcat9-embed-java           9.0.31-1ubuntu0.9+esm3
                                  Available with Ubuntu Pro
  libtomcat9-java                 9.0.31-1ubuntu0.9+esm3
                                  Available with Ubuntu Pro
  tomcat9                         9.0.31-1ubuntu0.9+esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libtomcat9-embed-java           9.0.16-3ubuntu0.18.04.2+esm8
                                  Available with Ubuntu Pro
  libtomcat9-java                 9.0.16-3ubuntu0.18.04.2+esm8
                                  Available with Ubuntu Pro
  tomcat9                         9.0.16-3ubuntu0.18.04.2+esm8
                                  Available with Ubuntu Pro

After a standard system update you need to restart Tomcat to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8417-1
  CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512,
  CVE-2026-43513, CVE-2026-43515

Package Information:
  https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.26.04.1
  https://launchpad.net/ubuntu/+source/tomcat9/9.0.115-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.25.10.1
  https://launchpad.net/ubuntu/+source/tomcat9/9.0.95-1ubuntu1.1

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to