Amazon Linux 2 Security Advisory: ALAS2-2026-3204
Advisory Released Date: 2026-03-19
Advisory Updated Date: 2026-03-19
Severity:
Medium
Issue Overview:
A flaw was found in Tomcat. An improper input validation vulnerability allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to permit HEAD requests to a URI but deny GET requests, a malformed or specification invalid HEAD request using the HTTP/0.9 protocol can bypass the intended denial rule, enabling an attacker to access resources that should be protected. (CVE-2026-24733)
Affected Packages:
tomcat
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update tomcat or yum update --advisory ALAS2-2026-3204 to update your system.
New Packages:
noarch:
tomcat-7.0.76-10.amzn2.0.16.noarch
tomcat-admin-webapps-7.0.76-10.amzn2.0.16.noarch
tomcat-docs-webapp-7.0.76-10.amzn2.0.16.noarch
tomcat-javadoc-7.0.76-10.amzn2.0.16.noarch
tomcat-jsvc-7.0.76-10.amzn2.0.16.noarch
tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.16.noarch
tomcat-lib-7.0.76-10.amzn2.0.16.noarch
tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.16.noarch
tomcat-el-2.2-api-7.0.76-10.amzn2.0.16.noarch
tomcat-webapps-7.0.76-10.amzn2.0.16.noarch
src:
tomcat-7.0.76-10.amzn2.0.16.src