BIT-tomcat-2026-24734
Improper Input Validation vulnerability in tomcat-coyote (Maven)
What is BIT-tomcat-2026-24734 About?
This vulnerability is an Improper Input Validation issue in Apache Tomcat Native and Apache Tomcat, allowing certificate revocation to be bypassed. Attackers can exploit this by manipulating OCSP responses, which could lead to unauthorized access or communication with revoked certificates. Exploitation is moderately difficult, requiring an attacker to intercept or control OCSP responses.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >=11.0.0-M1, <11.0.18
- >=9.0.83, <9.0.115
- >=10.1.0-M7, <10.1.52
- org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.0-M1, <11.0.18
- >=9.0.83, <9.0.115
- >=10.1.0-M7, <10.1.52
Technical Details
The vulnerability arises because Apache Tomcat Native and Apache Tomcat, when using an OCSP responder, do not perform adequate verification or freshness checks on the received OCSP response. This means that if an attacker can intercept or manipulate the OCSP response to an application attempting to establish a secure connection, they can bypass certificate revocation status checks. The application would then proceed with communication using a certificate that should have been invalidated, effectively nullifying the security control provided by OCSP. The attack vector involves presenting a stale or crafted OCSP response that indicates a revoked certificate is still valid.
What is the Impact of BIT-tomcat-2026-24734?
Successful exploitation may allow attackers to bypass certificate revocation checks, leading to applications accepting and communicating with revoked certificates. This undermines the security posture by allowing unauthorized access or continued trust in compromised credentials.
What is the Exploitability of BIT-tomcat-2026-24734?
Exploitation of this vulnerability requires an attacker to be in a position to intercept or manipulate OCSP responses, typically a Man-in-the-Middle (MitM) scenario. The complexity is moderate, as it involves network-level interference. No specific authentication or privilege is required on the target server itself for the direct attack; however, network control is a prerequisite. This is a remote exploitation scenario. Special conditions include the target application attempting to use OCSP for certificate revocation checks. The risk factor increases in environments where network traffic can be easily intercepted or altered, and where timely certificate revocation is critical without secondary verification mechanisms in place.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-tomcat-2026-24734?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >=9.0.83, <9.0.115 → Upgrade to 9.0.115
- org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.0-M7, <10.1.52 → Upgrade to 10.1.52
- org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.0-M1, <11.0.18 → Upgrade to 11.0.18
- org.apache.tomcat:tomcat-coyote
- >=9.0.83, <9.0.115 → Upgrade to 9.0.115
- org.apache.tomcat:tomcat-coyote
- >=10.1.0-M7, <10.1.52 → Upgrade to 10.1.52
- org.apache.tomcat:tomcat-coyote
- >=11.0.0-M1, <11.0.18 → Upgrade to 11.0.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to BIT-tomcat-2026-24734?
Similar Vulnerabilities: CVE-2023-45660 , CVE-2023-44487 , CVE-2022-42890 , CVE-2021-39230 , CVE-2020-1938
