Apache Tomcat and Tomcat Native OCSP Revocation Bypass Vulnerability

A vulnerability allowing OCSP revocation bypass has been identified in Apache Tomcat Native and Apache Tomcat. This issue arises when an OCSP responder is used, as Tomcat Native and Tomcat's FFM port of the Tomcat Native code failed to perform proper verification or freshness checks on the OCSP response. As a result, certificate revocation could be improperly ignored. The vulnerability affects Apache Tomcat Native versions 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11, as well as Apache Tomcat versions 11.0.0-M1 through 11.0.17, 10.1.0-M7 through 10.1.51, and 9.0.83 through 9.0.114. Older, end-of-life versions may also be affected.

Impact

Exploitation of this vulnerability could lead to improper handling of certificate revocation, allowing revoked certificates to be accepted as valid.

Remediation

Users are advised to upgrade to Apache Tomcat Native 2.0.12 or later, Apache Tomcat Native 1.3.5 or later, Apache Tomcat 11.0.18 or later, Apache Tomcat 10.1.52 or later, or Apache Tomcat 9.0.115 or later.