Hi everyone , I have a question about this CVE.
Am I correct if I say that this CVE impacts only tomcat instances that
use tomcat native or, in other words tomcat instances that use OpenSSL
for TLS instead of JSSE?
-------- Forwarded Message --------
Subject: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native -
OCSP revocation bypass
Date: Tue, 17 Feb 2026 18:21:16 +0000
From: Mark Thomas <[email protected]>
Reply-To: Tomcat Users List <[email protected]>
To: Tomcat Users List <[email protected]>,
[email protected] <[email protected]>,
[email protected], Tomcat Developers List <[email protected]>
CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected
Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation to
be bypassed.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later
Credit:
This issue was identified by Joshua Rogers (@MegaManSec)
History:
2026-02-17 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
