| Summary: Xerox assessed DocuShare for Apache Tomcat CVE-2025-66614 and determined that standard DocuShare deployments are not affected because the vulnerability requires multiple virtual hosts and connector-level client certificate authentication, neither of which are part of the supported DocuShare deployment model. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | No action required for the shipped configuration. |
| DocuShare 7.6 | No action required for the shipped configuration. |
| DocuShare 7.7 | No action required for the shipped configuration. |
| DocuShare 8.0 | No action required for the shipped configuration. |
Overview
CVE-2025-66614 is an Apache Tomcat host-name validation issue that can permit bypass of client certificate authentication when a deployment uses multiple virtual hosts and applies client certificate authentication only at the Tomcat connector level.
Xerox DocuShare reviewed the supported DocuShare deployment model and found that those prerequisite conditions are not present in the standard product configuration.
What the Vulnerability Requires
The vulnerability only applies when several advanced Tomcat deployment conditions are true at the same time.
- Tomcat in an affected version range prior to Apache Tomcat 9.0.113.
- More than one virtual host configured in Tomcat.
- Connector-level client certificate authentication enabled for one host but not consistently enforced at the web application level.
- A traffic path where the SNI host name and HTTP Host header can be used differently.
DocuShare Assessment
| Assessment Item | Finding |
| Tomcat virtual hosts in supported DocuShare deployment | Single virtual host only |
| Connector-level client certificate authentication in supported DocuShare deployment | Not used |
| Customer guidance | Standard DocuShare deployments are not affected |
| Important: If your organization has introduced a custom multi-host Tomcat layout or connector-level client certificate authentication outside the supported Xerox model, review those changes carefully. |
What You Should Do
- No action is required for the supported Xerox DocuShare deployment model.
- If you maintain a custom Tomcat layout with multiple virtual hosts or connector-level mutual TLS, review that configuration carefully.