Security update for tomcat

Announcement ID:	SUSE-SU-2026:2299-1
Release Date:	2026-06-08T10:55:17Z
Rating:	important
References:	bsc#1265145 bsc#1265162 bsc#1265163 bsc#1265165 bsc#1265166 bsc#1265167 bsc#1265168
Cross-References:	CVE-2026-41284 CVE-2026-41293 CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515
CVSS scores:	CVE-2026-41284 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-41284 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-41293 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-41293 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-42498 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-42498 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2026-43512 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2026-43512 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-43513 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2026-43513 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-43514 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-43514 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-43515 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-43515 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves seven vulnerabilities can now be installed.

Description:

This update for tomcat fixes the following issues

Update to Tomcat 9.0.118:

• CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
• CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
• CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
• CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
• CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
• CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
• CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).

Changes:

• Catalina
• Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl)
• Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt)
• Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt)
• Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm)
• Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt)
• Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm)
• Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt)
• Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis)
• Fix: Update the Windows authentication (kerberos) documentation to reflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt)
• Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt)
• Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a case insensitive manner. (markt)
• Fix: Correct the handling of invalid users with DIGEST authentication. (markt)
• Fix: Ensure RealmBase finds all matching extension based security constraints. (markt)
• Coyote
• Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt)
• Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt)
• Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt)
• Fix: Consistently reject URIs containing NULL bytes when normalizing.
• Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt)
• Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt)
• Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt)
• Fix: Free private keys after use in FFM based connector configuration.
• Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt)
• Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt)
• Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt)
• Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)
• Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt)
• Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt)
• Fix: Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt)
• Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
• WebSocket
• Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication.
• Other
• Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)
• Add: Add warning when OpenSSL binary is not found. (csutherl)
• Add: Add check for Tomcat Native library, and log warning when it's not found to make it easier to see when it's not used by the suite. (csutherl)
• Update: Update Byte Buddy to 1.18.8. (markt)
• Update: Update Bouncy Castle to 1.84. (markt)
• Update: Improvements to French translations. (remm)
• Update: Improvements to Japanese translations provided by tak7iji. (markt)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-2299=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2299=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
  • tomcat-servlet-4_0-api-9.0.118-3.166.1
  • tomcat-admin-webapps-9.0.118-3.166.1
  • tomcat-lib-9.0.118-3.166.1
  • tomcat-9.0.118-3.166.1
  • tomcat-javadoc-9.0.118-3.166.1
  • tomcat-el-3_0-api-9.0.118-3.166.1
  • tomcat-jsp-2_3-api-9.0.118-3.166.1
  • tomcat-docs-webapp-9.0.118-3.166.1
  • tomcat-webapps-9.0.118-3.166.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • tomcat-servlet-4_0-api-9.0.118-3.166.1
  • tomcat-admin-webapps-9.0.118-3.166.1
  • tomcat-lib-9.0.118-3.166.1
  • tomcat-9.0.118-3.166.1
  • tomcat-javadoc-9.0.118-3.166.1
  • tomcat-el-3_0-api-9.0.118-3.166.1
  • tomcat-jsp-2_3-api-9.0.118-3.166.1
  • tomcat-docs-webapp-9.0.118-3.166.1
  • tomcat-webapps-9.0.118-3.166.1

References:

• https://www.suse.com/security/cve/CVE-2026-41284.html
• https://www.suse.com/security/cve/CVE-2026-41293.html
• https://www.suse.com/security/cve/CVE-2026-42498.html
• https://www.suse.com/security/cve/CVE-2026-43512.html
• https://www.suse.com/security/cve/CVE-2026-43513.html
• https://www.suse.com/security/cve/CVE-2026-43514.html
• https://www.suse.com/security/cve/CVE-2026-43515.html
• https://bugzilla.suse.com/show_bug.cgi?id=1265145
• https://bugzilla.suse.com/show_bug.cgi?id=1265162
• https://bugzilla.suse.com/show_bug.cgi?id=1265163
• https://bugzilla.suse.com/show_bug.cgi?id=1265165
• https://bugzilla.suse.com/show_bug.cgi?id=1265166
• https://bugzilla.suse.com/show_bug.cgi?id=1265167
• https://bugzilla.suse.com/show_bug.cgi?id=1265168