Thx Chris.
On 18-Feb-26 19:42, Christopher Schultz wrote:
Ivano,
On 2/18/26 12:22 PM, Ivano Luberti wrote:
Hi everyone , I have a question about this CVE.
Am I correct if I say that this CVE impacts only tomcat instances
that use tomcat native or, in other words tomcat instances that use
OpenSSL for TLS instead of JSSE?
Correct: if you are not using tcnative at all, then this will not
affect you.
-chris
-------- Forwarded Message --------
Subject: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat
Native - OCSP revocation bypass
Date: Tue, 17 Feb 2026 18:21:16 +0000
From: Mark Thomas <[email protected]>
Reply-To: Tomcat Users List <[email protected]>
To: Tomcat Users List <[email protected]>,
[email protected] <[email protected]>,
[email protected], Tomcat Developers List <[email protected]>
CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected
Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation
to be bypassed.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later
Credit:
This issue was identified by Joshua Rogers (@MegaManSec)
History:
2026-02-17 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
--
Archimede Informatica tratta i dati personali in conformità a quanto
stabilito dal Regolamento UE n. 2016/679 (GDPR) e dal D. Lgs. 30 giugno
2003 n. 196
per come modificato dal D.Lgs. 10 agosto 2018 n. 101.
Informativa completa
<http://www.archicoop.it/fileadmin/pdf/InformativaTrattamentoDatiPersonali.pdf>
Il contenuto di questo messaggio e dei suoi eventuali allegati è
riservato. Nel caso in cui Lei non sia il destinatario, La preghiamo di
contattare telefonicamente o via e-mail il mittente ai recapiti sopra
indicati e di cancellare il messaggio e gli eventuali allegati dal Suo
sistema senza farne copia o diffonderli. Le opinioni espresse sono
quelle dell'autore e non rappresentano necessariamente quelle della Società.
This message and any attachment are confidential.If you are not the
intended recipient, please telephone or email the sender and delete this
message and any attachment from your system. If you are not the intended
recipient you must not copy this message or attachment or disclose the
contents to any other person. Any opinions presented are solely those of
the author and do not necessarily represent those of the Company.
dott. Ivano Mario Luberti
Archimede Informatica società cooperativa a r. l.
Via Gereschi 36, 56127 Pisa
tel.: +39 050/580959
web: www.archicoop.it
linkedin: www.linkedin.com/in/ivanoluberti
facebook: www.facebook.com/archimedeinformaticapisa/
