Share
## https://sploitus.com/exploit?id=80A91C97-5EB0-566A-AB8F-52BAA4DC2EC6
# CVE-2026-29145 โ€“ Everything

Apache Tomcat **CLIENT_CERT + OCSP soft-fail bypass**: Complete reproduction environment, exploitation payloads, and materials for writing Suricata detection rules. > For use only in authorized security research and detection rule development. Do not use on unauthorized systems. ---

## Vulnerability Summary

| Item | Description |
|-----|-------------|
| **CVE** | CVE-2026-29145 |
| **Component** | Apache Tomcat / Tomcat Native |
| **Type** | Authentication bypass (mTLS / CLIENT_CERT) |
| **CVSS** | 9.1 (NVD) / Moderate (Apache) |
| **Affected Versions** | Tomcat 10.1.0-M7โ€“**10.1.52**, 9.0.83โ€“9.0.115, 11.0.0-M1โ€“11.0.18; Native 2.0.0โ€“**2.0.13** etc. |
| **Fixed Versions** | Tomcat **10.1.53+** / 9.0.116+ / 11.0.20+; Native **2.0.14+** |

### Vulnerability Mechanism

When Tomcat enables **CLIENT_CERT** and **OCSP**, and configures `ocspSoftFail=false` (hard failure), some OCSP failure paths (especially with a response status of **`tryLater`**) are not treated as hard failures. As a result, client certificates that should be rejected are accepted, allowing protected resources to be accessed. Official fixes (e.g., Tomcat commit [`fe26667c`](https://github.com/apache/tomcat/commit/fe26667cd2385045ac73f4dea086cc9971209b90)) align the handling of OCSP `TRY_LATER` with Tomcat Native. ### Results from This Repository

On **Tomcat 10.1.52 + Tomcat Native 2.0.12**:

| OCSP Behavior | ocspSoftFail | Result |
|-------------|-------------|-------|
| **DER `tryLater` (`30 03 0a 01 03`)** | **false** | **HTTP 200 โ€“ Successfully bypassed** |
| HTTP 500 | false | TLS rejection (hard failure applied) |
| OCSP timeout | false | TLS rejection |
| Any failure | true | 200 (expected soft-fail) |

**Key point: It must return `tryLater` as per RFC 6960. An HTTP 500 is insufficient to trigger the bypass in this environment.**

---

## Repository Content

```
CVE-2026-29145-Everything/
โ”œโ”€โ”€ README.md                 # This file
โ”œโ”€โ”€ REPRODUCTION.md           # Detailed reproduction notes and Suricata hints
โ”œโ”€โ”€ docker-compose.yml        # Vulnerable Tomcat + Mock OCSP
โ”œโ”€โ”€ poc_exploit.py            # Exploitation/simulation script (exit 10 = vulnerable)
โ”œโ”€โ”€ simple_proxy_fail.py      # Mock OCSP (fail / succeed / try_later / internal_error)
โ”œโ”€โ”€ setup_certs.sh            # Generate CA, server, and client certificates (including OCSP AIA)
โ”œโ”€โ”€ capture_exploit.sh        # One-click exploitation and packet capture
โ”œโ”€โ”€ run_test.sh / cleanup.sh
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ tomcat/
โ”‚   โ”œโ”€โ”€ server.xml            # mTLS + ocspEnabled + ocspSoftFail=false
โ”‚   โ”œโ”€โ”€ tomcat-users.xml      # CLIENT-CERT user mapping
โ”‚   โ”œโ”€โ”€ ROOT/                 # Default minimum patching for official images
โ”‚   โ””โ”€โ”€ protected/            # Protected resources + web.xml (CLIENT-CERT)
โ””โ”€โ”€ pcaps/                    # โ˜… Captured exploitation payloads (for rule writing)
    โ”œโ”€โ”€ CVE-2026-29145-mtls-and-ocsp.pcap   # Main package: mTLS + OCSP
    โ”œโ”€โ”€ CVE-2026-29145-ocsp-only.pcap       # Only OCSP plaintext
    โ”œโ”€โ”€ CVE-2026-29145-mtls-only.pcap       # Only 8443 TLS
    โ””โ”€โ”€ exploit_response.html               # Successful exploitation response snapshot
```

The certificate private key directory `certs/` is ignored by `.gitignore`; it must be generated locally. ---

## Quick Start

### Dependencies

- Docker / Docker Compose
- OpenSSL
- Python 3.7+ (`pip install -r requirements.txt` or system `python3-requests`)

### Packet Capture (Traffic Retained)

```bash
./capture_exploit.sh
# Output will be saved in pcaps/CVE-2026-29145-*.pcap
```

### Packet Capture (Traffic Generated for Analysis)

```bash
./capture_exploit.sh
# Generate packets for analysis
```

### Configuration Notes (Vulnerable Server.xml)

```xml
<server>
```

### Recommendations for Fixing

1. Upgrade Tomcat to **10.1.53+** (or corresponding patch versions).
2. Update the Tomcat Native library to **2.0.14+**.
3. Recheck the `ocspSoftFail` policy and its effectiveness with respect to OCSP accessibility. Perform regression testing for unreachable/tryLater scenarios.

### Cleanup

```bash
./cleanup.sh
# Or:
docker compose down -v
```

### References

- [Apache Tomcat 10 Security](https://tomcat.apache.org/security-10.html) โ€“ CVE-2026-29145
- [NVD CVE-2026-29145](https://nvd.nist.gov/vuln/detail/CVE-2026-29145)
- [RFC 6960 OCSP](https://datatracker.ietf.org/doc/html/rfc6960)
- Source of PoCs: `CVE-2026-29145-Tester` (This repository has been strengthened and fully documented with reproducible configurations and tryLater paths.)

### Disclaimer

This project is intended solely for educational, authorized penetration testing, and development of intrusion detection rules. Users must ensure they have legal authorization to access the target system. The author assumes no responsibility for any misuse of this project.

[source-iocs-preserved url=http://ocsp-responder:8888,https://127.0.0.1:8443/protected-resource/,https://github.com/gkdgkd123/CVE-2026-29145-Everything.git ipv4=127.0.0.1 const=OCSP_MODE,OCSP_URL]