Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data
Description
Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Apache
PRODUCT: Tomcat
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Apache Tomcat’s EncryptInterceptor contains a Padding Oracle vulnerability when running under default configurations, potentially allowing for cryptographic attacks.
Executive Summary:
A Padding Oracle vulnerability in the Apache Tomcat EncryptInterceptor permits potential decryption of sensitive data, necessitating an immediate security update.
Vulnerability Details
CVE-ID: CVE-2026-29146
Affected Software: Apache Tomcat
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is a cryptographic vulnerability known as a Padding Oracle. It arises within the
EncryptInterceptorcomponent, where improper handling of padding in encrypted data allows an attacker to decrypt sensitive information by observing server responses.Business Impact
Successful exploitation allows an attacker to decrypt encrypted traffic or session data, leading to the compromise of sensitive user information or authentication tokens. With a CVSS score of 7.5, this vulnerability poses a significant risk to the confidentiality of data processed by Tomcat-based applications.
Remediation Plan
Immediate Action: Update Apache Tomcat to the version recommended in the vendor advisory to patch the
EncryptInterceptorcomponent.Proactive Monitoring: Monitor application logs for abnormal error patterns related to cryptographic processing or decryption failures, which may indicate an ongoing padding oracle attack.
Compensating Controls: Ensure that encryption is enforced at the transport layer (TLS) and consider disabling the vulnerable interceptor if it is not strictly required for current operations.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of April 11, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of cryptographic flaws, the potential for exploitation is considered high.
Analyst Recommendation
Cryptographic vulnerabilities are difficult to detect via traditional signature-based monitoring. Administrators should prioritize applying the vendor-supplied patch immediately and ensure that all communication channels are secured with modern, robust encryption standards.