Tomcat is vulnerable to authentication bypass vulnerability. This is because, when using an OCSP responder Apache Tomcat Native does not correctly handle invalid responses. Users could authenticate with revoked certificates when using mutual TLS as the revoked client certificates are improperly validated.
mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E
www.securityfocus.com/bid/104936
www.securitytracker.com/id/1041507
access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/
access.redhat.com/errata/RHSA-2018:2469
access.redhat.com/errata/RHSA-2018:2470
access.redhat.com/security/updates/classification/#important
issues.jboss.org/browse/JWS-1042
lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2018/08/msg00023.html