Dear Tomcat Community, I am writing to inquire about the potential impact of the recently detected critical vulnerability: CVE-2024-5535<https://nvd.nist.gov/vuln/detail/CVE-2024-5535> (9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. According to Black Duck Binary Analysis (BDBA) scans, this vulnerability has been identified within the Tomcat 10.1.20 version. There are other detected vulnerabilities inside OpenSSL on Tomcat, such as CVE-2024-4603, CVE-2024-2511.
The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll Given this disconcerting discovery, we are seeking clarification on how CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost importance for us to understand the implications of this vulnerability and to identify any available mitigations or patches to address this issue. Your prompt attention to this matter is highly valued, and we would be grateful for any assistance or guidance you can provide to help us navigate this potential security concern. Thank you for your time and consideration. Best regards, Peyton Zhong