topic Re: Multiple Vulnerabilities in embedded Apache Tomcat - ArcGIS Server and Portal. CVE-2025-55668, CVE-2025-48989 in ArcGIS Enterprise Questions https://community.esri.com/t5/arcgis-enterprise-questions/multiple-vulnerabilities-in-embedded-apache-tomcat/m-p/1643609#M42881 <P>Could you please report these via the ArcGIS trust center:</P><P><A href="https://trust.arcgis.com/en/security-concern/" target="_blank">https://trust.arcgis.com/en/security-concern/</A></P><P>This will get you the response you need from the appropriate people.&nbsp;</P><P>&nbsp;</P> Wed, 20 Aug 2025 09:32:16 GMT A_Wyn_Jones 2025-08-20T09:32:16Z Multiple Vulnerabilities in embedded Apache Tomcat - ArcGIS Server and Portal. CVE-2025-55668, CVE-2025-48989 https://community.esri.com/t5/arcgis-enterprise-questions/multiple-vulnerabilities-in-embedded-apache-tomcat/m-p/1643604#M42880 <P>Hi,</P><P>We have ArcGIS Server 11.5 and ArcGIS Portal 11.3 in production environment with the below highlighted vulnerabilities by our organization Cyber Security Team. please need advice for the same, since i have not been able to find any patches or documents which addresses the exact same vulnerabilities for the specific ArcGIS Enterprise Versions.</P><P>---------------------------------------------------------------------------------------------------------------------------</P><P>This advisory addresses Apache Tomcat security updates addressing two major vulnerabilities, impacting several supported versions of its open-source application server. These vulnerabilities could be exploited to carry out session fixation attacks or trigger denial-of-service (DoS) using the MadeYouReset method in HTTP/2.</P><P><BR /><STRONG>CVE-2025-55668 -&nbsp;Session Fixation via Rewrite Valve</STRONG><BR />6.5 Medium<BR />Apache Tomcat's rewrite valve mechanism contains a session fixation flaw, which could let attackers assign a session ID to a user before they log in, potentially enabling session hijacking.</P><P><BR /><STRONG>CVE-2025-48989 -&nbsp;Denial-of-Service via MadeYouReset HTTP/2 Technique</STRONG><BR />7.5 High<BR />Apache Tomcat is susceptible to the MadeYouReset attack, which exploits the HTTP/2 protocol by mishandling stream resets, leading to resource exhaustion.</P> Wed, 20 Aug 2025 08:43:06 GMT https://community.esri.com/t5/arcgis-enterprise-questions/multiple-vulnerabilities-in-embedded-apache-tomcat/m-p/1643604#M42880 vipulsoni 2025-08-20T08:43:06Z Re: Multiple Vulnerabilities in embedded Apache Tomcat - ArcGIS Server and Portal. CVE-2025-55668, CVE-2025-48989 https://community.esri.com/t5/arcgis-enterprise-questions/multiple-vulnerabilities-in-embedded-apache-tomcat/m-p/1643609#M42881 <P>Could you please report these via the ArcGIS trust center:</P><P><A href="https://trust.arcgis.com/en/security-concern/" target="_blank">https://trust.arcgis.com/en/security-concern/</A></P><P>This will get you the response you need from the appropriate people.&nbsp;</P><P>&nbsp;</P> Wed, 20 Aug 2025 09:32:16 GMT https://community.esri.com/t5/arcgis-enterprise-questions/multiple-vulnerabilities-in-embedded-apache-tomcat/m-p/1643609#M42881 A_Wyn_Jones 2025-08-20T09:32:16Z