CVE-2026-24734
📋 TL;DR
This vulnerability in Apache Tomcat Native and Apache Tomcat allows attackers to bypass certificate revocation checks when using OCSP responders. Improper input validation means OCSP responses aren't properly verified for freshness or validity, potentially allowing revoked certificates to be accepted. Affected users include those running vulnerable versions of Apache Tomcat Native or Apache Tomcat with OCSP responder configurations.
💻 Affected Systems
- Apache Tomcat Native
- Apache Tomcat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use revoked or compromised certificates to establish TLS connections, potentially enabling man-in-the-middle attacks, data interception, or unauthorized access to protected systems.
Likely Case
Bypass of certificate revocation checks allowing revoked certificates to be accepted, compromising the integrity of TLS/SSL connections.
If Mitigated
If proper network segmentation and additional certificate validation layers exist, impact is limited to potential bypass of revocation checks only.
🎯 Exploit Status
Exploitation requires ability to present a revoked certificate and potentially control or intercept OCSP responses. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Tomcat Native: 1.3.5+, 2.0.12+. Apache Tomcat: 11.0.18+, 10.1.52+, 9.0.115+
Vendor Advisory: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
Restart Required: Yes
Instructions:
1. Identify affected Tomcat/Tomcat Native versions. 2. Download and install patched versions from Apache Tomcat website. 3. Replace vulnerable libraries. 4. Restart Tomcat service. 5. Verify version update.
🔧 Temporary Workarounds
Disable OCSP responder
allTemporarily disable OCSP responder usage until patching is possible
Modify Tomcat configuration to remove or comment out OCSP responder settings in server.xml or related configuration files
Use CRL instead of OCSP
allSwitch from OCSP to Certificate Revocation List (CRL) for certificate validation
Configure Tomcat to use CRL distribution points instead of OCSP responders in SSL/TLS configuration
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable Tomcat instances from sensitive systems
- Deploy additional certificate validation layers using web application firewalls or reverse proxies
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and OCSP configuration. For Tomcat Native: check native library version. For Tomcat: check version in catalina.out or via management interface.Check Version:
For Tomcat: check catalina.version property or run 'java -cp catalina.jar org.apache.catalina.util.ServerInfo'. For Tomcat Native: check native library version in logs or via 'ldd' on Linux.Verify Fix Applied:
Verify installed version matches patched versions. Test OCSP responder functionality with revoked test certificates.📡 Detection & Monitoring
Log Indicators:
- Unusual certificate validation patterns
- OCSP response errors or timeouts
- Failed revocation checks
Network Indicators:
- Suspicious OCSP traffic patterns
- Connections using certificates that should be revoked
SIEM Query:
Search for Tomcat logs containing OCSP validation failures or unusual certificate acceptance patterns