ELSA-2026-26323

ELSA-2026-26323 - tomcat security update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2026-06-23

Description

[1:9.0.117-1]
- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
- Resolves:
Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
- Resolves:
Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
- Resolves:
Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
- Resolves:
Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
- Resolves:
Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
- Resolves:
Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
- Resolves:
Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
- Resolves:
Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
- Resolves:
Tomcat: Occasionally open redirect (CVE-2026-25854)
- Resolves:
Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
- Resolves:
Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
- Resolves:
Tomcat: Security constraint bypass (CVE-2026-24733)
- Resolves:
Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)

Related CVEs

CVE-2026-24734

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	tomcat-9.0.117-1.el9_8.src.rpm	32f0f28cf4fefffb246125003ab24bdd63f400169af2903db38dfb0f7980af76	-	ol9_aarch64_appstream
	tomcat-9.0.117-1.el9_8.noarch.rpm	1c4c9162a3e9fa2be5bb43adc37372a367974b5d5c7adefc882e6b5857950ea5	-	ol9_aarch64_appstream
	tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm	f0eb3da7ec7fd271d31641b272ad3c011496da5eee00f983860f97ae46b86c31	-	ol9_aarch64_appstream
	tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm	1a487eec5dc43838a1a88517bc445536e60322de9e72575378da6beeadc80ae4	-	ol9_aarch64_appstream
	tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm	d3243b7201cff034ff1d6d9b58d9176991caed439cd814d38c4b908600c457e7	-	ol9_aarch64_appstream
	tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm	7a9706db778e0d6fea6405b77a6e66798eed139e005ed274762c529e32b06394	-	ol9_aarch64_appstream
	tomcat-lib-9.0.117-1.el9_8.noarch.rpm	59fe65af1ee93990df5511c2340a516d38cef5fd7f25f7a883b9a397089c63a1	-	ol9_aarch64_appstream
	tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm	e9e927b7755a1cb57aae05b96dfe615a0070b877e0d6f47c2ba913cabd5eb30a	-	ol9_aarch64_appstream
	tomcat-webapps-9.0.117-1.el9_8.noarch.rpm	d62f1f7116dd7db82a6d54eaf0c15efeca08a3e849c2b72a1e6a693ae5dee65c	-	ol9_aarch64_appstream
Oracle Linux 9 (x86_64)	tomcat-9.0.117-1.el9_8.src.rpm	32f0f28cf4fefffb246125003ab24bdd63f400169af2903db38dfb0f7980af76	-	ol9_x86_64_appstream
	tomcat-9.0.117-1.el9_8.noarch.rpm	1c4c9162a3e9fa2be5bb43adc37372a367974b5d5c7adefc882e6b5857950ea5	-	ol9_x86_64_appstream
	tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm	f0eb3da7ec7fd271d31641b272ad3c011496da5eee00f983860f97ae46b86c31	-	ol9_x86_64_appstream
	tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm	1a487eec5dc43838a1a88517bc445536e60322de9e72575378da6beeadc80ae4	-	ol9_x86_64_appstream
	tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm	d3243b7201cff034ff1d6d9b58d9176991caed439cd814d38c4b908600c457e7	-	ol9_x86_64_appstream
	tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm	7a9706db778e0d6fea6405b77a6e66798eed139e005ed274762c529e32b06394	-	ol9_x86_64_appstream
	tomcat-lib-9.0.117-1.el9_8.noarch.rpm	59fe65af1ee93990df5511c2340a516d38cef5fd7f25f7a883b9a397089c63a1	-	ol9_x86_64_appstream
	tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm	e9e927b7755a1cb57aae05b96dfe615a0070b877e0d6f47c2ba913cabd5eb30a	-	ol9_x86_64_appstream
	tomcat-webapps-9.0.117-1.el9_8.noarch.rpm	d62f1f7116dd7db82a6d54eaf0c15efeca08a3e849c2b72a1e6a693ae5dee65c	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team