Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN377 _____________________________________________________________________ DATE : 10/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 8.19.14, 9.2.8, 9.3.3. ===================================================================== https://lists.apache.org/thread/hgvbqzrxgygc0bs4q90yc54vftfd1s98 https://lists.apache.org/thread/h8v33b1hwztv0mcvlddgyfx6kgtlhyf9 https://lists.apache.org/thread/96vrrfh486vpz2f579mjq8dppdrt31yz https://lists.apache.org/thread/jopv52sgm698y6qc180rpphfn9kkvxn2 https://lists.apache.org/thread/0djnshh592307hvqn782589g6ps4xkp1 https://lists.apache.org/thread/sq4jfs2c53fn6x6lvsdd4w5rfdhjvnhx https://lists.apache.org/thread/jyk1pxskr284w8hmw8j9yqy834bvn35s https://lists.apache.org/thread/y4rgpnj4y3m8bg5kzjt8yyhx1qmzyx3r https://lists.apache.org/thread/tqopmm028m2c9v8k0qypy8byvrt5748r _____________________________________________________________________ CVE-2026-34486 Apache Tomcat - Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.20 Apache Tomcat 10.1.53 Apache Tomcat 9.0.116 Description: An error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.21 or later - Upgrade to Apache Tomcat 10.1.54 or later - Upgrade to Apache Tomcat 9.0.117 or later Credit: This issue was identified by Bartlomiej Dmitruk, striga.ai History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-29146 Apache Tomcat - EncryptInterceptor vulnerable to padding oracle attack by default Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.18 Apache Tomcat 10.1.0-M1 to 10.1.52 Apache Tomcat 9.0.13 to 9.0.115 Older, EOS versions may also be affected Description: The EncryptInterceptor used CBC by default which is vulnerable to a padding Oracle attack. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by Uri Katz and Avi Lumelsky (Oligo Security) History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ [SECURITY] CVE-2026-34500 Apache Tomcat - OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 Apache Tomcat - OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M14 to 11.0.20 Apache Tomcat 10.1.22 to 10.1.53 Apache Tomcat 9.0.92 to 9.0.116 Description: CLIENT_CERT authentication did not fail as expected for some scenarios when soft fail was disabled and FFM was used Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.21 or later - Upgrade to Apache Tomcat 10.1.54 or later - Upgrade to Apache Tomcat 9.0.117 or later Credit: This issue was identified by Haruki Oyama (Waseda University) History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-32990 Apache Tomcat - The fix for CVE-2025-66614 is incomplete Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.15 to 11.0.19 Apache Tomcat 10.1.50 to 10.1.52 Apache Tomcat 9.0.113 to 9.0.115 Description: The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by zhengg History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-29145 Apache Tomcat and Tomcat Native - OCSP checks sometimes soft-fail even when soft-fail is disabled Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 2.0.0 to 2.0.13 Apache Tomcat Native 1.3.0 to 1.3.6 Apache Tomcat 11.0.0-M1 to 11.0.18 Apache Tomcat 10.1.0-M7 to 10.1.52 Apache Tomcat 9.0.83 to 9.0.115 Older, EOS versions may also be affected Description: CLIENT_CERT authentication did not fail OCSP checks as expected for some scenarios when soft fail was disabled. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat Native 2.0.14 or later - Upgrade to Apache Tomcat Native 1.3.7 or later - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by gregk4sec (https://github.com/gregk4sec) History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-24880 Apache Tomcat - Request smuggling via invalid chunk extension Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.18 Apache Tomcat 10.1.0-M1 to 10.1.52 Apache Tomcat 9.0.0.M1 to 9.0.115 Older, EOS versions may also be affected Description: Tomcat did not validate that contents of HTTP/1.1 chunk extensions. This enabled a request smuggling attack if a reverse proxy in front of Tomcat allowed CRLF sequences in an otherwise valid chunk extension. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by Xclow3n History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-25854 Apache Tomcat - Occasionally open redirect Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.18 Apache Tomcat 10.1.0-M1 to 10.1.52 Apache Tomcat 9.0.0.M23 to 9.0.115 Older, EOS versions may also be affected Description: When a Tomcat node in a cluster with the LoadBalancerDrainingValve was in the disabled (draining) state, a specially crafted URL could be used to trigger a redirect to a URI of the attackers choice. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by gregk4sec (https://github.com/gregk4sec) History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-29129 Apache Tomcat - Configured TLS cipher preference order not preserved Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.16 to 11.0.18 Apache Tomcat 10.1.51 to 10.1.52 Apache Tomcat 9.0.114 to 9.0.115 Description: The additional of the ability to configure TLS 1.3 cipher suites did not preserve the order of the configured cipher suites and ciphers. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.20 or later - Upgrade to Apache Tomcat 10.1.53 or later - Upgrade to Apache Tomcat 9.0.116 or later Credit: This issue was identified by the Tomcat security team History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html _____________________________________________________________________ CVE-2026-34487 Apache Tomcat - Cloud membership for clustering component exposed the Kubernetes bearer token Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1-11.0.20 Apache Tomcat 10.1.0-M1-10.1.53 Apache Tomcat 9.0.13-9.0.116 Description: The cloud membership for clustering component exposed the Kubernetes bearer token in log messages. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.21 or later - Upgrade to Apache Tomcat 10.1.54 or later - Upgrade to Apache Tomcat 9.0.117 or later Credit: This issue was identified by Bartlomiej Dmitruk, striga.ai History: 2026-04-09 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================