Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN187
_____________________________________________________________________

DATE                : 18/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tomcat Native versions
                            prior to 2.0.12, 1.3.5,
           Apache Tomcat versions prior to 11.0.18, 10.1.52, 9.0.115.

=====================================================================
https://lists.apache.org/thread/m2stn80hj4wvvncc55hjo0707rg8yl7p
https://lists.apache.org/thread/y5zdwotqzxompqf7133gr43nmk05n142
https://lists.apache.org/thread/4zz70o7rnzto7q7jxhrpdhdg7pfos6s2
_____________________________________________________________________

CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected

Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation to
be bypassed.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later

Credit:
This issue was identified by Joshua Rogers (@MegaManSec)

History:
2026-02-17 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

_____________________________________________________________________

CVE-2026-24733 Apache Tomcat - Security constraint bypass with HTTP/0.9

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.14
Apache Tomcat 10.1.0-M1 to 10.1.49
Apache Tomcat 9.0.0.M1 to 9.0.112
Older, EOL versions are also be affected

Description:
Tomcat did not limit HTTP/0.9 requests to the GET method. If a security
constraint was configured to allow HEAD requests to a URI but deny GET
requests, the user could bypass that constraint on GET requests by
sending a (specification invalid) HEAD request using HTTP/0.9.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.15 or later
- Upgrade to Apache Tomcat 10.1.50 or later
- Upgrade to Apache Tomcat 9.0.113 or later

Credit:
This issue was identified by the Apache Tomcat security team

History:
2026-02-17 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

_____________________________________________________________________

CVE-2025-66614 Apache Tomcat - Client certificate verification bypass
due to virtual host mapping

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.14
Apache Tomcat 10.1.0-M1 to 10.1.49
Apache Tomcat 9.0.0.M1 to 9.0.112
Older, EOL versions may also be affected

Description:
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.

The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.15 or later
- Upgrade to Apache Tomcat 10.1.50 or later
- Upgrade to Apache Tomcat 9.0.113 or later

Credit:
An external security researcher

History:
2026-02-17 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================