Is Applications Manager and Tomcat vulnerable to the below vulnerabilities?

CVE-2025-48976
CVE-2025-48988
CVE-2025-49125

Applications Manager 9.4+

Note that Applications Manager versions between 9.4 and 9.5.3 includes a version of Tomcat that can be upgraded to the latest version (refer to your Tomcat/OS admin). Additionally, the Applications Manager documentation also covers that topic here.

For version 9.6, the integrated webserver does not use the full Tomcat application but only Tomcat library provided by the Spring framework so the below conclusions apply.

• CVE-2025-48976
  
  Description of vulnerability: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
  
  Conclusion: Applications Manager does not ship Apache Commons FileUpload library with the product so it is not vulnerable.
  
  
• CVE-2025-48988
  
  Description: Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts.
  
  Conclusion: Applications Manager does not provide multipart upload endpoints so is not vulnerable.
  
  
• CVE-2025-49125
  
  Description: When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.
  
  Conclusion: Applications Manager does not use PreResources / PostResources so it is not vulnerable.