Error condition not handled when configuring CRLs
Summary
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue. A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists (CRLs) for a FFM (presumably a specific type of connector), the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security controls might not be properly enforced. A flaw was found in Apache Tomcat. When using the FFM-based connector with CRL-based certificate revocation checking, an error in CRL data processing is not handled correctly, potentially allowing revoked certificates to be accepted. This only affects Tomcat 10.1.0-M7+ and 11.x using the FFM connector (Java 22+ Foreign Function & Memory API) with CRL configuration — an extremely narrow set of conditions not present in standard Red Hat deployments. Red Hat severity: Low — CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Weakness: CWE-390. Fixed by RHSA-2026:29203, RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- tomcat11-main-11.0.23-0.1.hum1
- tomcat10-main-10.1.56-1.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- tomcat10-main-10.1.56-1.hum1
- tomcat11-main-11.0.23-0.1.hum1
- RHSA-2026:29203
- RHSA-2026:32960
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- This vulnerability only affects Tomcat deployments using the FFM-based connector (requires Java 22+) with CRL-based certificate revocation checking. Deployments using the standard NIO/NIO2 connectors or not using CRL checking are not affected.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.