Hi,
We have ArcGIS Server 11.5 and ArcGIS Portal 11.3 in production environment with the below highlighted vulnerabilities by our organization Cyber Security Team. please need advice for the same, since i have not been able to find any patches or documents which addresses the exact same vulnerabilities for the specific ArcGIS Enterprise Versions.
---------------------------------------------------------------------------------------------------------------------------
This advisory addresses Apache Tomcat security updates addressing two major vulnerabilities, impacting several supported versions of its open-source application server. These vulnerabilities could be exploited to carry out session fixation attacks or trigger denial-of-service (DoS) using the MadeYouReset method in HTTP/2.
CVE-2025-55668 - Session Fixation via Rewrite Valve
6.5 Medium
Apache Tomcat's rewrite valve mechanism contains a session fixation flaw, which could let attackers assign a session ID to a user before they log in, potentially enabling session hijacking.
CVE-2025-48989 - Denial-of-Service via MadeYouReset HTTP/2 Technique
7.5 High
Apache Tomcat is susceptible to the MadeYouReset attack, which exploits the HTTP/2 protocol by mishandling stream resets, leading to resource exhaustion.
