关键信息 CVE Identifier: CVE-2026-24734 Title: Apache Tomcat and Tomcat Native - OCSP revocation bypass Severity: Moderate Vendor: The Apache Software Foundation Affected Versions: - Apache Tomcat 9.0.83 to 9.0.114 - Apache Tomcat 10.0.0-M1 to 10.1.51 - Apache Tomcat 11.0.0-M1 to 11.0.17 - Apache Tomcat Native 1.3.0 to 1.3.4 - Apache Tomcat Native 2.0.0 to 2.0.11 - Older, EOL versions may also be affected Description: When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Mitigation: - Upgrade to Apache Tomcat Native 2.0.12 or later - Upgrade to Apache Tomcat Native 1.3.5 or later - Upgrade to Apache Tomcat 9.0.115 or later - Upgrade to Apache Tomcat 10.1.52 or later - Upgrade to Apache Tomcat 11.0.18 or later Credit: Joshua Rogers (@MegaManSec) History: - 2026-02-17: Original advisory References: - [1] https://tomcat.apache.org/security-11.html - [2] https://tomcat.apache.org/security-10.html - [3] https://tomcat.apache.org/security-9.html Additional Commentary Ivano Luberti confirmed that the CVE impacts only Tomcat instances using Tomcat Native for TLS (not OpenSSL or JSSE), and Chris corroborated that using tcnative is necessary for the vulnerability to be relevant.