Back

Debian Releases Security Advisories for Tomcat9, Tomcat10, and Tomcat11 Vulnerabilities

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Published: 2026-06-08 · Updated: 2026-06-08

Keywords: debian, bypass, although, aware, vuln, critical, auth

Severity indicators: critical

Summary

Debian has issued critical security advisories for Tomcat9, Tomcat10, and Tomcat11 addressing various vulnerabilities. Tomcat9 (DLA-4619) fixed an authentication bypass and denial-of-service issue in version 9.0.118-0+deb11u1. Tomcat10 (DSA-6328) addressed a similar critical denial-of-service vulnerability in versions 10.1.55-1~deb12u1 for oldstable and 10.1.55-1~deb13u1 for stable. Tomcat11 (DSA-6329) resolved a moderate DDoS vulnerability in version 11.0.22-1~deb13u1. All advisories recommend upgrading affected packages and consulting the respective documentation for further details. The vulnerabilities may introduce new options or limits that could impact existing web applications. Users are urged to apply updates promptly to mitigate potential risks. Key Points: • Debian released critical advisories for Tomcat9, Tomcat10, and Tomcat11 vulnerabilities. • Tomcat9 and Tomcat10 vulnerabilities involve authentication bypass and denial-of-service risks. • Users are advised to upgrade to the latest versions to mitigate security risks.

Detailed Analysis

**Impact** Users of Debian distributions running Tomcat 9, 10, and 11 are affected, including Debian 11 bullseye, oldstable (bookworm), and stable (trixie) releases. The vulnerabilities could lead to authentication bypass, denial of service (DoS), and information disclosure, potentially disrupting web applications and exposing sensitive data. No specific sectors, geographies, or numbers of affected systems are provided in the articles. **Technical Details** The vulnerabilities involve critical authentication bypass and denial of service issues in Tomcat 9 and 10, and a moderate distributed denial of service (DDoS) combined with sensitive information bypass in Tomcat 11. The attack vectors likely exploit flaws in the Tomcat native library (libtcnative-1) and core Tomcat components. No CVE identifiers, malware, or infrastructure details are mentioned. These issues impact the exploitation and post-exploitation stages of the kill chain. **Recommended Response** Apply the following security updates immediately: Tomcat 9 to version 9.0.118-0+deb11u1 on Debian 11 bullseye, Tomcat 10 to versions 10.1.55-1~deb12u1 (bookworm) or 10.1.55-1~deb13u1 (trixie), and Tomcat 11 to version 11.0.22-1~deb13u1 (trixie). Review Tomcat documentation for new options or configuration changes introduced by upstream updates. Monitor web application logs for unusual authentication or denial of service activity. No specific IOCs or detection signatures are provided.

Source articles (3)

  • Debian Tomcat9 Critical Auth Bypass DoS Advisory DLA-4619 — Linuxsecurity · 2026-06-07
    In order to address certain vulnerabilities and restore the compatibility with Tomcat 9, an upgrade of the Tomcat native library, libtcnative-1, was required as well. Although we are not aware of any…
  • Debian Tomcat10 Critical Denial Of Service Auth Bypass Vuln DSA-6328 — Linuxsecurity · 2026-06-08
    Although we are not aware of any problems, new upstream versions may introduce new options, limits or code changes which may or may not affect your existing web applications. We recommend to consult t…
  • Debian Tomcat11 Moderate DDoS Bypass Sensitive Info Vuln DSA-6329 — Linuxsecurity · 2026-06-08
    Although we are not aware of any problems, new upstream versions may introduce new options, limits or code changes which may or may not affect your existing web applications. We recommend to consult t…

Timeline

  • 2026-06-07 — Debian Tomcat9 advisory released: DLA-4619 addresses critical auth bypass and DoS vulnerabilities in Tomcat9, urging upgrades to version 9.0.118-0+deb11u1.
  • 2026-06-08 — Debian Tomcat10 advisory released: DSA-6328 fixes a critical denial-of-service vulnerability in Tomcat10, recommending upgrades to versions 10.1.55-1~deb12u1 and 10.1.55-1~deb13u1.
  • 2026-06-08 — Debian Tomcat11 advisory released: DSA-6329 addresses a moderate DDoS vulnerability in Tomcat11, advising upgrades to version 11.0.22-1~deb13u1.

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Debian (Company)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed