[GHSA-653p-vg55-5652] Apache Tomcat Uncontrolled Resource Consumption vulnerability

[yusuke-koyoshi]

Updates

• Affected products
• CVSS v3
• CVSS v4
• Description

Comments
The scope of this vulnerability is limited to the bundled example web
application under webapps/examples/, which Apache Tomcat explicitly
does NOT recommend deploying in production. The current advisory
overstates the impact for typical deployments.

== Evidence ==

1. Apache Tomcat security report lists the affected files all under
   webapps/examples/:
   https://tomcat.apache.org/security-9.html
   https://tomcat.apache.org/security-10.html
   https://tomcat.apache.org/security-11.html

2. The 9.x backport fix series (9 commits) modified only files under
   webapps/examples/. No source under java/ (production server
   code) was touched. Sample commits:

   • apache/tomcat@1d88dd3
   • apache/tomcat@3315a90
     (7 more in the 9.x series, all under webapps/examples/**)

3. Apache Tomcat Security Considerations explicitly recommends removing
   the examples webapp in production:
   https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html

== Proposed changes ==

(1) Description — append a Mitigation paragraph at the end of the existing description:

 "Mitigation: This vulnerability does not affect core Apache Tomcat
 server components (tomcat-catalina, tomcat-coyote, tomcat-embed-core,
 etc.). Removing the `webapps/examples/` directory in production
 environments — as recommended by the Apache Tomcat Security
 Considerations documentation
 (https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html) —
 eliminates the attack surface entirely."

(2) Affected packages — remove:

• org.apache.tomcat:tomcat-catalina

The example webapp lives under webapps/examples/ in the binary
distribution; it is NOT included in the tomcat-catalina artifact
on Maven Central. Verified with the 9.0.117 distribution zip vs
tomcat-catalina-9.0.117.jar: the modified classes
(RequestHeaderExample, SessionExample, etc.) exist only under
webapps/examples/WEB-INF/classes/ in the distribution and are
absent from the tomcat-catalina jar. This causes false-positive
detections on production deployments that depend on tomcat-catalina
without using the examples webapp.

org.apache.tomcat:tomcat (binary distribution that bundles
webapps/examples) is correctly affected and should stay.

(3) CVSS v4.0 — three changes (6.6 -> 6.3):

Before: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U (6.6)
After : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (6.3)

(a) AT (Attack Requirements): N -> P
Exploitation requires the optional examples webapp to be
deployed and reachable. This environmental precondition maps
to AT:P per the CVSS v4.0 spec, not AT:N.

(b) VA (Vulnerable System Availability): H -> L
The "Vulnerable System" is the Tomcat instance. Taking down
the bundled examples webapp does not impair availability of
other webapps deployed on the same instance. The impact is
partial, mapping to VA:L rather than VA:H.

(c) Remove the Threat metric E:U (Exploit Maturity: Unproven)
Vulnerability databases should publish Base metrics only.
Threat metrics are time-varying and should be applied by
downstream consumers (organizations, scanners), not stored at
the source advisory.

   Note: removing `E:U` alone would *raise* the score (since `E:U`
   is a downgrading factor). The Base-metric corrections in (a)
   and (b) above are what actually bring the score down to 6.3,
   reflecting the real-world impact more accurately.

== Request to GitHub Security Curators ==

The "Suggest improvements" UI does not allow editing the Threat metric
E:U. Please remove it manually when applying this proposal so the
final vector contains only Base metrics:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

This aligns with the principle that an advisory database should
publish vendor-neutral Base metrics only, and let downstream tooling
overlay environment-specific Threat/Environmental metrics.