Urgent Security Updates Issued for Apache Tomcat Vulnerabilities

Urgent Security Updates Issued for Apache Tomcat Vulnerabilities

Posted on By CWS

The Apache Software Foundation has issued crucial security updates to rectify several vulnerabilities identified in Apache Tomcat. These updates are essential for maintaining the integrity of server environments affected by these flaws.

Critical Security Flaws Identified

A significant issue arose from an error in a security patch designed to fix vulnerabilities, inadvertently making servers susceptible to bypass attacks. This included vulnerabilities in certificate authentication and padding-oracle attacks, prompting immediate action from administrators to safeguard their systems.

Details on EncryptInterceptor and Padding Oracle Issues

The primary concern involves a faulty security patch linked to CVE-2026-29146, a severe vulnerability where the EncryptInterceptor used Cipher Block Chaining (CBC) by default. This setup exposed servers to padding oracle attacks, allowing malicious entities to potentially decrypt traffic.

Researchers Uri Katz and Avi Lumelsky from Oligo Security identified this critical cryptographic flaw. An initial set of updates was released by Apache in response to these findings. Yet, the fix led to another vulnerability, CVE-2026-34486, discovered by Bartlomiej Dmitruk of striga.ai, which enabled attackers to bypass the EncryptInterceptor entirely.

Additional Vulnerabilities and Recommendations

Beyond the EncryptInterceptor issues, Apache addressed a medium-severity vulnerability, CVE-2026-34500, affecting the Online Certificate Status Protocol (OCSP) checks. This flaw could lead to unexpected authentication behaviors due to a soft fail during OCSP validation, identified by Haruki Oyama from Waseda University.

The vulnerabilities impact several Apache Tomcat versions, notably including Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Broader issues, such as the initial padding oracle attack and certificate validation errors, affect a wider range of earlier versions.

To mitigate these threats, Apache recommends updating to the latest secure versions: Apache Tomcat 11.0.21 or later, 10.1.54 or later, and 9.0.117 or later. Organizations using older, unsupported Tomcat versions should upgrade immediately, as these will not receive patches for identified vulnerabilities.

For more cybersecurity updates, follow us on Google News, LinkedIn, and X. We also invite you to contact us with your cybersecurity stories.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

PoC Exploit Released for CrushFTP 0-day Vulnerability (CVE-2025-54309) PoC Exploit Released for CrushFTP 0-day Vulnerability (CVE-2025-54309) Cyber Security News
Malicious npm Packages as Utilities Let Attackers Destroy Production Systems Malicious npm Packages as Utilities Let Attackers Destroy Production Systems Cyber Security News
Key Vulnerabilities, Threats, and Data Breaches Key Vulnerabilities, Threats, and Data Breaches Cyber Security News
Google Gemini Vulnerabilities Let Attackers Exfiltrate User’s Saved Data and Location Google Gemini Vulnerabilities Let Attackers Exfiltrate User’s Saved Data and Location Cyber Security News
Critical Vulnerability in Python PLY Library Enables Remote Code Execution Critical Vulnerability in Python PLY Library Enables Remote Code Execution Cyber Security News
Malware Campaign Uses Fake Software to Deploy RATs and Miners Malware Campaign Uses Fake Software to Deploy RATs and Miners Cyber Security News