Tomcat is vulnerable to authentication bypass vulnerability. This is because, when using pre-produced responses from an OCSP responder, Tomcat Native does not correctly validate the status of certificates. Users with revoked certificates could authenticate when using mutual TLS as the revoked client certificates are not properly identified.
mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%[email protected]%3E
www.securityfocus.com/bid/104934
www.securitytracker.com/id/1041507
access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/
access.redhat.com/errata/RHSA-2018:2469
access.redhat.com/errata/RHSA-2018:2470
access.redhat.com/security/updates/classification/#important
issues.jboss.org/browse/JWS-1042
lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2018/08/msg00023.html