Start a conversation Sign in
Start a conversation
  1. NewNet
  2. NewNet Articles
  3. Articles

NewNet Lithium (TextPassLGR) Tomcat 7.0.109: Assessment for CVE-2026-24733, CVE-2026-24734, and CVE-2025-66614 (RHEL 7.9 & RHEL 8)

Contents

Overview

This article explains how to confirm whether TextPassLGR (and the bundled Apache Tomcat) is installed in a NewNet Lithium deployment and how to assess exposure to CVE-2026-24733, CVE-2026-24734, and CVE-2025-66614.

For the assessed deployment running Tomcat 7.0.109, NewNet Lithium was determined not vulnerable to these CVEs based on observed runtime/configuration evidence (including 505 HTTP Version Not Supported for HTTP/0.9 attempts and the Tomcat Native/OpenSSL-not-loaded startup message).

The same conclusions apply to both RHEL 8 and RHEL 7.9 (Maipo) where the NewNet Lithium Tomcat implementation for this component is identical.

Key Information

  • Scope: Validate whether NewNet Lithium’s bundled Tomcat 7.0.109 (typically installed with TextPassLGR) is impacted by:
    • CVE-2026-24733 – HTTP/0.9 Security Constraint Bypass
    • CVE-2026-24734 – OCSP Certificate Revocation Bypass (Tomcat & Tomcat Native)
    • CVE-2025-66614 – Client Certificate Verification Bypass via SNI/Host mismatch
  • Environment referenced:
    • Product: NewNet Lithium
    • Component: TextPassLGR (component that includes Tomcat in this deployment)
    • Tomcat: 7.0.109 (example path: /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/)
    • OS: Conclusions apply to RHEL 8 and RHEL 7.9 (Maipo) for the same product build/configuration
  • Step 1 — Confirm whether TextPassLGR is installed: 
    rpm -qa | grep -i TextPassLGR

    Interpretation:

    • If output includes a package similar to TextPassLGR-R<version>-<release>.x86_64 (example observed: TextPassLGR-R01.06.04.00-1.x86_64), then TextPassLGR is installed and Tomcat components may be present as part of that deployment.
    • If no output is returned, LGR is likely not installed on that server.
  • Step 2 — Identify Tomcat install and baseline configuration files (typical locations):
    • .../conf/server.xml
    • .../conf/web.xml
    • .../logs/catalina.out
    • .../webapps/**/web.xml

  • Example: /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/conf/server.xml

  • Assessment summary (why the assessed deployment is not vulnerable):
    • CVE-2026-24734 (OCSP Certificate Revocation Bypass): Not applicable when Tomcat Native (APR/OpenSSL / libtcnative) is not installed/loaded, TLS uses JSSE, and clientAuth="false".
      • Supporting log evidence observed: "The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path."
      • JSSE-based connector evidence: Http11NioProtocol with JKS keystore usage
    • CVE-2025-66614 (Client certificate verification bypass via SNI/Host mismatch): Not applicable in the assessed configuration because:
      • Only a single <Host> was present
      • clientAuth="false"
      • The affected Tomcat version range is commonly described as 8.5.0+, while this deployment uses Tomcat 7.0.109
    • CVE-2026-24733 (HTTP/0.9 security constraint bypass): Not applicable because:
      • HTTP/0.9 requests were not accepted in the manner required by the CVE (explicit HTTP/0.9 returned 505 HTTP Version Not Supported; requests without an HTTP version were dropped)
      • No <security-constraint> entries were present in any deployed or global web.xml
  • Validation commands used in the assessment (adjust paths if your installation differs):
    • Check for Tomcat Native/APR references in logs: 
      grep -i 'apr\|tcnative\|native' /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/logs/catalina.out
    • Confirm libtcnative is not present/installed: 
      find / -name 'libtcnative*' 2>/dev/null
rpm -qa | grep -i tcnative
    • Confirm HTTPS connector type and keystore usage: 
      grep -A5 'Connector.*8443' /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/conf/server.xml

      Look for Http11NioProtocol and JKS keystore usage.

    • Confirm client certificate authentication setting: 
      grep -i 'clientAuth' /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/conf/server.xml

      Expected in the assessed deployment: clientAuth="false"

    • Verify the number of <Host> blocks: 
      grep -c '<Host ' /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/conf/server.xml

      Expected in the assessed deployment: 1

    • Search for security-constraint in app web.xml files: 
      find /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/webapps/ -name web.xml -exec grep -l security-constraint {} \;
    • Check the global Tomcat web.xml: 
      grep security-constraint /opt/TextPass/Apache/TextPassApache-tomcat-7.0.109/conf/web.xml
    • Validate HTTP/0.9 handling (perform only in approved testing windows): 
      (printf 'GET / HTTP/1.0\r\nHost: 127.0.0.1\r\n\r\n'; sleep 2) | ncat 127.0.0.1 8080
(printf 'GET /\r\n\r\n'; sleep 2) | ncat 127.0.0.1 8080
(printf 'HEAD /\r\n\r\n'; sleep 2) | ncat 127.0.0.1 8080
(printf 'GET / HTTP/0.9\r\n\r\n'; sleep 2) | ncat 127.0.0.1 8080
(printf 'HEAD / HTTP/0.9\r\n\r\n'; sleep 2) | ncat 127.0.0.1 8080

      Expected evidence observed in the assessment: explicit HTTP/0.9 attempts return 505 HTTP Version Not Supported; version-less requests are dropped.

    • Optional SNI/Host mismatch probe (perform only in approved testing windows): 
      openssl s_client -connect your_instance.domain.com:8443 -servername wrong.hostname.example.com
  • Validation checklist (what “good” looks like):
    • rpm -qa | grep -i TextPassLGR confirms whether LGR is installed.
    • Tomcat Native is not installed/loaded (no libtcnative, no APR/OpenSSL usage).
    • HTTPS connector uses JSSE (Http11NioProtocol) and clientAuth="false".
    • Only one <Host> is present in server.xml.
    • No security-constraint entries exist in global or app web.xml.
    • HTTP/0.9 attempts return 505 HTTP Version Not Supported (or are otherwise not accepted as required by the CVE).

Customer Impact

If your NewNet Lithium TextPassLGR deployment matches the assessed conditions (Tomcat 7.0.109, no Tomcat Native/OpenSSL, JSSE connector, clientAuth="false", single <Host>, no security-constraint, and HTTP/0.9 rejected), then no remediation is required for CVE-2026-24733, CVE-2026-24734, and CVE-2025-66614.

If you enable features that change the risk profile (for example, installing/using Tomcat Native, enabling clientAuth="true", adding multiple <Host> entries with differing TLS/client-auth requirements, or relying on security constraints that could be bypassed), rerun the checks in this article and reassess. Continue to follow Red Hat advisories for OS-level packages independently of this product-bundled Tomcat assessment.

Frequently Asked Questions

1. How do I quickly confirm whether LGR is installed on a server?

Run:

rpm -qa | grep -i TextPassLGR

If it returns a TextPassLGR-... package, LGR is installed on that server.

2. I found Tomcat on disk. Does that automatically mean I’m vulnerable to these CVEs?

No. These CVEs require specific runtime/configuration conditions (for example: Tomcat Native/APR present, client certificate authentication enabled with multiple virtual hosts, or specific HTTP/0.9 plus security-constraint behavior). Use the checks in this article to validate whether those conditions exist.

3. What exact message indicates Tomcat Native (OpenSSL) is NOT being used?

In the assessed deployment, catalina.out included:

"The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path."

This is a strong indicator Tomcat Native is not loaded.

4. What response indicates Tomcat is rejecting HTTP/0.9 requests?

When explicitly sending an HTTP/0.9 version string, the assessed deployment returned:

505 HTTP Version Not Supported
5. What changes could make CVE-2025-66614 relevant in my environment?

Enabling client certificate authentication (clientAuth="true") and configuring multiple <Host> blocks with differing TLS/client-auth requirements could

Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments