The Apache Software Foundation has issued crucial security updates to rectify several vulnerabilities identified in Apache Tomcat. These updates are essential for maintaining the integrity of server environments affected by these flaws.
Critical Security Flaws Identified
A significant issue arose from an error in a security patch designed to fix vulnerabilities, inadvertently making servers susceptible to bypass attacks. This included vulnerabilities in certificate authentication and padding-oracle attacks, prompting immediate action from administrators to safeguard their systems.
Details on EncryptInterceptor and Padding Oracle Issues
The primary concern involves a faulty security patch linked to CVE-2026-29146, a severe vulnerability where the EncryptInterceptor used Cipher Block Chaining (CBC) by default. This setup exposed servers to padding oracle attacks, allowing malicious entities to potentially decrypt traffic.
Researchers Uri Katz and Avi Lumelsky from Oligo Security identified this critical cryptographic flaw. An initial set of updates was released by Apache in response to these findings. Yet, the fix led to another vulnerability, CVE-2026-34486, discovered by Bartlomiej Dmitruk of striga.ai, which enabled attackers to bypass the EncryptInterceptor entirely.
Additional Vulnerabilities and Recommendations
Beyond the EncryptInterceptor issues, Apache addressed a medium-severity vulnerability, CVE-2026-34500, affecting the Online Certificate Status Protocol (OCSP) checks. This flaw could lead to unexpected authentication behaviors due to a soft fail during OCSP validation, identified by Haruki Oyama from Waseda University.
The vulnerabilities impact several Apache Tomcat versions, notably including Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Broader issues, such as the initial padding oracle attack and certificate validation errors, affect a wider range of earlier versions.
To mitigate these threats, Apache recommends updating to the latest secure versions: Apache Tomcat 11.0.21 or later, 10.1.54 or later, and 9.0.117 or later. Organizations using older, unsupported Tomcat versions should upgrade immediately, as these will not receive patches for identified vulnerabilities.
For more cybersecurity updates, follow us on Google News, LinkedIn, and X. We also invite you to contact us with your cybersecurity stories.
