Fwd: [thredds] [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

11 views
Skip to first unread message

Roy Mendelssohn - NOAA Federal

unread,
Feb 18, 2026, 1:23:41 PM (2 days ago) Feb 18
to erDDAP Bob Simons via
Please see below and if you are using tomcat to run ERDDAP™  please update it.   This is good security practice and also so you don’t get flagged if you get scanned.

Thanks,

-Roy


Begin forwarded message:

From: Jennifer Oxelson Ganter <oxe...@ucar.edu>
Subject: [thredds] Fwd: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
Date: February 18, 2026 at 8:08:00 AM PST
To: THREDDS community <thr...@unidata.ucar.edu>

There are a variety of new CVEs out for Tomcat versions 9 - 11.  Please make sure you're running the most recent versions.
https://tomcat.apache.org/





---------- Forwarded message ---------
From: Mark Thomas <ma...@apache.org>
Date: Tue, Feb 17, 2026 at 11:30 AM
Subject: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
To: Tomcat Users List <us...@tomcat.apache.org>, anno...@tomcat.apache.org <anno...@tomcat.apache.org>, <anno...@apache.org>, Tomcat Developers List <d...@tomcat.apache.org>


CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected

Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation to
be bypassed.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later

Credit:
This issue was identified by Joshua Rogers (@MegaManSec)

History:
2026-02-17 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html






--
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000 
oxe...@ucar.edu                                       Boulder, CO 80307
------------------------------------------------------------------------------------

_________________________________________________________
NOTE: All exchanges posted to NSF Unidata maintained email lists are
made publicly available through the web. Users who post to any of the
lists we maintain are reminded to remove any personal information that
they do not want to be made public.

NSF Unidata thredds Mailing List
(thr...@unidata.ucar.edu)
For list information, to unsubscribe, or change your membership options,
visit: https://mailinglists.unidata.ucar.edu/listinfo/thredds/

Reply all
Reply to author
Forward
0 new messages