BIT-tomcat-2026-29129: Cipher Preference Order vulnerability in tomcat-catalina (Maven)

What is BIT-tomcat-2026-29129 About?

This vulnerability in Apache Tomcat allows the configured cipher preference order to not be preserved, which can lead to the use of weaker encryption ciphers than intended. This could potentially weaken the security of TLS/SSL connections, making it easier for attackers to compromise encrypted communications. Exploitation would likely require specific network conditions and is of moderate difficulty.

Affected Software

org.apache.tomcat:tomcat-catalina
- >=10.1.51, <10.1.53
- >=11.0.16, <11.0.20
- >=9.0.114, <9.0.116
org.apache.tomcat:tomcat
- >=10.1.51, <10.1.53
- >=11.0.16, <11.0.20
- >=9.0.114, <9.0.116
org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.51, <10.1.53
- >=11.0.16, <11.0.20
- >=9.0.114, <9.0.116

Technical Details

The vulnerability stems from an issue where Apache Tomcat fails to consistently apply the specified cipher suite preference order in its TLS/SSL configuration. When a server and client negotiate a TLS connection, they agree upon a cipher suite from a list supported by both. The server's preference order is intended to guide this negotiation, ensuring stronger ciphers are chosen over weaker ones when available. Due to this flaw, Tomcat might not correctly enforce this configured preference, potentially proposing or accepting a less secure cipher suite earlier in the negotiation process than its configuration dictates. An attacker could potentially influence this negotiation, during a man-in-the-middle scenario or similar network interception, to coerce the connection into using a cipher suite that is easier to break cryptographically.

What is the Impact of BIT-tomcat-2026-29129?

Successful exploitation may allow attackers to force the use of weaker encryption algorithms during TLS/SSL handshake, potentially enabling them to decrypt sensitive communications or perform other cryptographic attacks by exploiting the inherent weaknesses of the chosen cipher.

What is the Exploitability of BIT-tomcat-2026-29129?

Exploitation of this vulnerability requires a moderate level of complexity, as it primarily involves manipulating TLS/SSL handshake negotiations. No specific authentication is required to attempt to influence cipher suite negotiation, as this occurs at the initial connection setup phase. Privilege escalation is not a direct outcome; rather, the goal is to weaken encryption. This is a remote vulnerability, as an attacker would typically intercept or interfere with network traffic between the client and the Tomcat server. Special conditions, such as the presence of a man-in-the-middle attack vector, would significantly increase the likelihood of successful exploitation.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for BIT-tomcat-2026-29129?

Available Upgrade Options

org.apache.tomcat:tomcat-catalina
- >=9.0.114, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat:tomcat-catalina
- >=10.1.51, <10.1.53 → Upgrade to 10.1.53
org.apache.tomcat:tomcat-catalina
- >=11.0.16, <11.0.20 → Upgrade to 11.0.20
org.apache.tomcat.embed:tomcat-embed-core
- >=9.0.114, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.51, <10.1.53 → Upgrade to 10.1.53
org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.16, <11.0.20 → Upgrade to 11.0.20
org.apache.tomcat:tomcat
- >=9.0.114, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat:tomcat
- >=10.1.51, <10.1.53 → Upgrade to 10.1.53
org.apache.tomcat:tomcat
- >=11.0.16, <11.0.20 → Upgrade to 11.0.20

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-tomcat-2026-29129?

Similar Vulnerabilities: CVE-2015-3183 , CVE-2014-0096 , CVE-2016-0703 , CVE-2016-3092 , CVE-2017-12613

BIT-tomcat-2026-29129 Cipher Preference Order vulnerability in tomcat-catalina (Maven)