# CVE-2026-34486 — Apache Tomcat Tribes EncryptInterceptor fail-open RCE # # Vulnerable pin: Apache Tomcat 11.0.20 (official image, exact patch release). # The fail-open EncryptInterceptor.messageReceived() exists only in 9.0.116 / # 10.1.53 / 11.0.20; we use 11.0.20 unchanged (rule #5: source is not modified). FROM tomcat:11.0.20-jdk17-temurin-jammy # --- gosu for privilege drop in the entrypoint --- # The deserialization sink runs in the JVM; we run that JVM as a dedicated # unprivileged 'tomcat' user so the marker the criterion checks is owned by the # Tomcat service user (a distinct identity, not root). RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends gosu ca-certificates; \ rm -rf /var/lib/apt/lists/*; \ gosu nobody true # --- dedicated unprivileged service user --- RUN set -eux; \ groupadd -r tomcat; \ useradd -r -g tomcat -d /usr/local/tomcat -s /usr/sbin/nologin tomcat # --- gadget chain on the server classpath --- # CVE-2026-34486 is a deserialization sink; RCE is impossible without a usable # gadget on the target classpath (criterion: "Gadget availability"). Commons # Collections 3.2.1 is the canonical CommonsCollections gadget source. Pinned # version + SHA1 verified against Maven Central. This is an additive dependency # placed in Tomcat's common lib dir; it does NOT modify Tomcat's own source. ARG CC_VERSION=3.2.1 ARG CC_SHA1=761ea405b9b37ced573d2df0d1e3a4e0f9edc668 RUN set -eux; \ url="https://repo1.maven.org/maven2/commons-collections/commons-collections/${CC_VERSION}/commons-collections-${CC_VERSION}.jar"; \ curl -fsSL -o "/usr/local/tomcat/lib/commons-collections-${CC_VERSION}.jar" "$url"; \ echo "${CC_SHA1} /usr/local/tomcat/lib/commons-collections-${CC_VERSION}.jar" | sha1sum -c - # --- vulnerable cluster configuration (EncryptInterceptor with a key) --- COPY config/server.xml /usr/local/tomcat/conf/server.xml # --- marker staging dir owned by the service user (clean baseline managed by entrypoint) --- RUN set -eux; \ mkdir -p /marker; \ chown tomcat:tomcat /marker; \ chown -R tomcat:tomcat /usr/local/tomcat/logs /usr/local/tomcat/work /usr/local/tomcat/temp /usr/local/tomcat/conf COPY config/entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod +x /usr/local/bin/entrypoint.sh EXPOSE 4000 8080 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] CMD ["catalina.sh", "run"]