Published : April 4, 2026, 2:16 p.m. | 10 hours, 21 minutes ago
Description :7 Tik 1.0.1.0 contains a denial of service vulnerability that allows attackers to crash the application by submitting excessively long input strings to the search functionality. Attackers can paste a buffer of 7700 characters into the search bar to trigger an application crash.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2018-25245
N/A
Identify all Apache Tomcat instances running within your environment. Prioritize systems that are publicly accessible or handle sensitive data. Determine the exact version of Apache Tomcat installed on each identified system. For CVE-2018-25245, affected versions are Apache Tomcat 9.0.0.M1 to 9.0.0.M26, 8.5.0 to 8.5.22, and 7.0.0 to 7.0.82. If an active denial-of-service (DoS) attack is suspected or ongoing, immediately isolate the affected Tomcat server(s) by adjusting firewall rules to restrict incoming connections to known, trusted sources, or temporarily blocking external access to the HTTP/2 port. Monitor system resource utilization (CPU, memory, network I/O) on all identified Tomcat servers for abnormal spikes that could indicate an attack. Prepare for a controlled restart of affected Tomcat services if resource exhaustion becomes critical, understanding this is a temporary measure and does not resolve the underlying vulnerability.
2. PATCH AND UPDATE INFORMATION
The definitive remediation for CVE-2018-25245 is to update Apache Tomcat to a patched version that addresses the HTTP/2 DoS vulnerability. The fixed versions are:
– Apache Tomcat 9.0.0.M27 or later (e.g., 9.0.0.M27, 9.0.1, 9.0.2 etc.)
– Apache Tomcat 8.5.23 or later (e.g., 8.5.23, 8.5.24, etc.)
– Apache Tomcat 7.0.83 or later (e.g., 7.0.83, 7.0.84, etc.)
Download the appropriate patched version from the official Apache Tomcat website (tomcat.apache.org). Before deploying to production, thoroughly test the update in a staging or development environment to ensure compatibility with existing applications and configurations. Follow standard software update procedures, which typically involve backing up the current Tomcat installation, replacing the binaries with the new version, migrating existing configuration files (e.g., server.xml, web.xml), and then restarting the Tomcat service. Verify the successful update by checking the Tomcat version in the logs or via the manager application.
3. MITIGATION STRATEGIES
If immediate patching is not feasible, implement the following mitigation strategies:
– Disable HTTP/2 Connector: This vulnerability specifically targets the HTTP/2 protocol implementation. If HTTP/2 is not a critical requirement for your applications, disable the HTTP/2 connector in your Tomcat server.xml configuration. Locate the <Connector> element configured for HTTP/2 (often on port 8443 with TLS) and either comment it out or remove it. For example, change <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"> with an <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> child element, and remove or comment out the <UpgradeProtocol> line.
– Implement a Reverse Proxy or WAF: Place a robust reverse proxy (e.g., Apache HTTPD, Nginx) or a Web Application Firewall (WAF) in front of your Tomcat instance. Configure the proxy/WAF to perform rate limiting on incoming requests, especially those targeting the HTTP/2 endpoint. This can help absorb or block a high volume of malicious requests before they reach Tomcat