Security vulnerability scanners may flag the following CVEs related to Apache Tomcat packaged with Applications Manager:

• CVE-2025-66614: Client Certificate Authentication Bypass (SNI mismatch)
• CVE-2026-24733: Security Constraint Bypass via HTTP/0.9
• CVE-2026-24734: OCSP Revocation Bypass

Scanners often report these because they detect the tomcat-embed-el library version (e.g., 10.1.33) and compare it against fixed versions (10.1.50/10.1.52).

Applications Manager version 9.6 and 9.6.1

Applications Manager v9.6 and v9.6.1 ship with the tomcat-embed-el library. This is an Apache implementation of Javax EL (Expression Language). Security tools often flag any file with a "Tomcat" signature, even if the vulnerable components (the web server engine) are not in use.

Applications Manager is not vulnerable to these CVEs. The justifications for each are as follows:

• CVE-2025-66614: This is a mismatch vulnerability between the TLS layer (SNI) and HTTP layer (Host header). It requires multiple virtual hosts and specific mTLS configurations at the Tomcat connector. AM does not use Tomcat as its web server or to implement virtual hosts.
• CVE-2026-24733: This involves bypassing constraints using the HTTP/0.9 protocol for HEAD requests. It requires specific Tomcat security constraints (Allow HEAD / Deny GET). AM does not use Tomcat as a web server to manage these constraints.
• CVE-2026-24734: This affects Tomcat's integration with OpenSSL (Tomcat Native/FFM API) regarding OCSP response freshness. AM does not utilize these Tomcat libraries for its web server implementation.

Technical Distinction: Full Tomcat vs. Tomcat-Embed-EL

It is important to distinguish between the two for security teams:

1. Full Tomcat: A standalone web server/container with a webapps folder, server.xml, and conf directory. It manages incoming network traffic directly.
2. Tomcat-Embed-EL: One specific tool embedded into AM code. AM uses its own proprietary engine for web server tasks and only borrows the Expression Language (EL) library to parse specific bits of code.

Recommendation

1. Whitelist: These libraries should be whitelisted in your security scanning tool for versions 9.6 and 9.6.1.
2. Upgrade: Upgrade to Applications Manager v9.6.2 or higher. In version 9.6.2, AM has migrated to Jetty libraries and no longer ships or uses Tomcat libraries, which will permanently resolve these scanner flags.