Applications Manager and CVE-2025-49124, CVE-2025-55668, CVE-2025-52520, CVE-2025-53506, and CVE-2025-48989
search cancel

Applications Manager and CVE-2025-49124, CVE-2025-55668, CVE-2025-52520, CVE-2025-53506, and CVE-2025-48989

book

Article ID: 412609

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

Is Applications Manager and Tomcat vulnerable to the below vulnerabilities?

CVE-2025-49124
CVE-2025-55668
CVE-2025-52520
CVE-2025-53506
CVE-2025-48989

Environment

Applications Manager 9.4 and above

Resolution

Note that Applications Manager versions between 9.4 and 9.5.3 includes a version of Tomcat that can be upgraded to the latest version (refer to your Tomcat/OS admin). Additionally, the Applications Manager documentation also covers that topic here.

For version 9.6, the integrated webserver does not use the full Tomcat application but only Tomcat library provided by the Spring framework so the below conclusions apply.

  • CVE-2025-49124

    Description of vulnerability: During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability.

    Conclusion: This relates to Apache Tomcat installer for Windows. Applications Manager uses Embedded Apache Tomcat library and not the installer so it is not vulnerable.

  • CVE-2025-55668

    Description of vulnerability: If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's session.

    Conclusion: Applications Manager does not offer configuration to enable rewrite valve so it is not vulnerable.

  • CVE-2025-52520

    Description of vulnerability: For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits.

    Conclusion: Applications Manager uses embedded Tomcat library which doesn't offer any configuration for multipart upload so it is not vulnerable.

  • CVE-2025-53506

    Description of vulnerability: An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS.

    Conclusion: Applications Manager doesn't provide a way to enable HTTP/2 protocol so it is not vulnerable.

  • CVE-2025-48989

    Description of vulnerability: Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError

    Conclusion: Applications Manager doesn't provide a way to enable HTTP/2 protocol so it is not vulnerable.
Powered by Wolken Software