Critical Tomcat Flaws Enable DoS, Auth Bypass, and Credential Theft
Ubuntu security advisory USN-8417-1 addresses six vulnerabilities in Apache Tomcat affecting memory exhaustion, HTTP/2 validation, authentication bypass, and WebSocket credential leakage. Organizations running Tomcat should prioritize patching to mitigate remote attack vectors.
TL;DR
- WebDAV request body limits missing; attackers can trigger memory exhaustion and denial of service
- HTTP/2 header validation flaw may allow remote code execution or server crashes
- Authentication headers leak during WebSocket upgrades and redirects, exposing credentials
- Digest authentication and LockOutRealm case-sensitivity issues enable auth bypass
- Multiple method constraint handling flaw weakens authorization controls
Ubuntu has released security notice USN-8417-1 documenting six vulnerabilities in Apache Tomcat that span multiple attack surfaces: resource exhaustion, protocol handling, credential management, and access control. These flaws affect the widely-deployed Java application server and pose significant risk to organizations relying on Tomcat for production workloads.
The vulnerabilities range from denial-of-service conditions triggered by oversized WebDAV requests to authentication bypass issues in digest authentication and account lockout mechanisms. Most critically, improper header handling during WebSocket upgrades and HTTP/2 processing could enable remote code execution or credential disclosure.
Denial of Service and Resource Exhaustion
- CVE-2026-41284: Tomcat fails to enforce request body size limits on WebDAV LOCK and PROPFIND operations, allowing attackers to exhaust server memory
- Uncontrolled memory consumption leads to application unavailability and potential cascading failures in multi-tenant environments
- Affects deployments exposing WebDAV functionality without external request filtering
Authentication and Credential Leakage
- CVE-2026-42498: HTTP authentication headers persist during WebSocket connection upgrades and HTTP redirects, exposing sensitive credentials to network observers
- CVE-2026-43512: Digest authentication validation flaws permit attackers to bypass authentication restrictions
- CVE-2026-43513: LockOutRealm case-sensitivity handling allows attackers to circumvent account lockout protections and potentially access sensitive information
Protocol and Authorization Flaws
- CVE-2026-41293: Improper HTTP/2 header field validation may trigger server crashes or remote code execution
- Incomplete authorization constraint evaluation when multiple method constraints define the same HTTP method weakens access control enforcement
- These flaws affect core protocol handling and request routing logic
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.