Share
## https://sploitus.com/exploit?id=80A91C97-5EB0-566A-AB8F-52BAA4DC2EC6
# CVE-2026-29145 โ Everything
Apache Tomcat **CLIENT_CERT + OCSP soft-fail bypass**: Complete reproduction environment, exploitation payloads, and materials for writing Suricata detection rules. > For use only in authorized security research and detection rule development. Do not use on unauthorized systems. ---
## Vulnerability Summary
| Item | Description |
|-----|-------------|
| **CVE** | CVE-2026-29145 |
| **Component** | Apache Tomcat / Tomcat Native |
| **Type** | Authentication bypass (mTLS / CLIENT_CERT) |
| **CVSS** | 9.1 (NVD) / Moderate (Apache) |
| **Affected Versions** | Tomcat 10.1.0-M7โ**10.1.52**, 9.0.83โ9.0.115, 11.0.0-M1โ11.0.18; Native 2.0.0โ**2.0.13** etc. |
| **Fixed Versions** | Tomcat **10.1.53+** / 9.0.116+ / 11.0.20+; Native **2.0.14+** |
### Vulnerability Mechanism
When Tomcat enables **CLIENT_CERT** and **OCSP**, and configures `ocspSoftFail=false` (hard failure), some OCSP failure paths (especially with a response status of **`tryLater`**) are not treated as hard failures. As a result, client certificates that should be rejected are accepted, allowing protected resources to be accessed. Official fixes (e.g., Tomcat commit [`fe26667c`](https://github.com/apache/tomcat/commit/fe26667cd2385045ac73f4dea086cc9971209b90)) align the handling of OCSP `TRY_LATER` with Tomcat Native. ### Results from This Repository
On **Tomcat 10.1.52 + Tomcat Native 2.0.12**:
| OCSP Behavior | ocspSoftFail | Result |
|-------------|-------------|-------|
| **DER `tryLater` (`30 03 0a 01 03`)** | **false** | **HTTP 200 โ Successfully bypassed** |
| HTTP 500 | false | TLS rejection (hard failure applied) |
| OCSP timeout | false | TLS rejection |
| Any failure | true | 200 (expected soft-fail) |
**Key point: It must return `tryLater` as per RFC 6960. An HTTP 500 is insufficient to trigger the bypass in this environment.**
---
## Repository Content
```
CVE-2026-29145-Everything/
โโโ README.md # This file
โโโ REPRODUCTION.md # Detailed reproduction notes and Suricata hints
โโโ docker-compose.yml # Vulnerable Tomcat + Mock OCSP
โโโ poc_exploit.py # Exploitation/simulation script (exit 10 = vulnerable)
โโโ simple_proxy_fail.py # Mock OCSP (fail / succeed / try_later / internal_error)
โโโ setup_certs.sh # Generate CA, server, and client certificates (including OCSP AIA)
โโโ capture_exploit.sh # One-click exploitation and packet capture
โโโ run_test.sh / cleanup.sh
โโโ requirements.txt
โโโ tomcat/
โ โโโ server.xml # mTLS + ocspEnabled + ocspSoftFail=false
โ โโโ tomcat-users.xml # CLIENT-CERT user mapping
โ โโโ ROOT/ # Default minimum patching for official images
โ โโโ protected/ # Protected resources + web.xml (CLIENT-CERT)
โโโ pcaps/ # โ
Captured exploitation payloads (for rule writing)
โโโ CVE-2026-29145-mtls-and-ocsp.pcap # Main package: mTLS + OCSP
โโโ CVE-2026-29145-ocsp-only.pcap # Only OCSP plaintext
โโโ CVE-2026-29145-mtls-only.pcap # Only 8443 TLS
โโโ exploit_response.html # Successful exploitation response snapshot
```
The certificate private key directory `certs/` is ignored by `.gitignore`; it must be generated locally. ---
## Quick Start
### Dependencies
- Docker / Docker Compose
- OpenSSL
- Python 3.7+ (`pip install -r requirements.txt` or system `python3-requests`)
### Packet Capture (Traffic Retained)
```bash
./capture_exploit.sh
# Output will be saved in pcaps/CVE-2026-29145-*.pcap
```
### Packet Capture (Traffic Generated for Analysis)
```bash
./capture_exploit.sh
# Generate packets for analysis
```
### Configuration Notes (Vulnerable Server.xml)
```xml
<server>
```
### Recommendations for Fixing
1. Upgrade Tomcat to **10.1.53+** (or corresponding patch versions).
2. Update the Tomcat Native library to **2.0.14+**.
3. Recheck the `ocspSoftFail` policy and its effectiveness with respect to OCSP accessibility. Perform regression testing for unreachable/tryLater scenarios.
### Cleanup
```bash
./cleanup.sh
# Or:
docker compose down -v
```
### References
- [Apache Tomcat 10 Security](https://tomcat.apache.org/security-10.html) โ CVE-2026-29145
- [NVD CVE-2026-29145](https://nvd.nist.gov/vuln/detail/CVE-2026-29145)
- [RFC 6960 OCSP](https://datatracker.ietf.org/doc/html/rfc6960)
- Source of PoCs: `CVE-2026-29145-Tester` (This repository has been strengthened and fully documented with reproducible configurations and tryLater paths.)
### Disclaimer
This project is intended solely for educational, authorized penetration testing, and development of intrusion detection rules. Users must ensure they have legal authorization to access the target system. The author assumes no responsibility for any misuse of this project.
[source-iocs-preserved url=http://ocsp-responder:8888,https://127.0.0.1:8443/protected-resource/,https://github.com/gkdgkd123/CVE-2026-29145-Everything.git ipv4=127.0.0.1 const=OCSP_MODE,OCSP_URL]