| Summary: Xerox DocuShare evaluated DocuShare for Apache Tomcat CVE-2026-24734 and determined that DocuShare is not vulnerable in its default configuration. This CVE depends on HTTPS/TLS and OCSP validation conditions that are not present in the standard DocuShare deployment model. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 7.6 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 7.7 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 8.0 | Not affected under the standard Xerox DocuShare configuration. |
Overview
CVE-2026-24734 is an Apache Tomcat OCSP validation issue that depends on a specific TLS certificate validation flow. Scanner findings based only on the Tomcat version do not confirm that a DocuShare deployment is exposed.
Xerox engineering analysis confirmed that the default Tomcat connector configuration used by DocuShare does not enable the HTTPS/TLS and OCSP conditions needed to reach the vulnerable code path. The standard DocuShare deployment model therefore does not expose the CLIENT_CERT and OCSP validation path required for this CVE.
This assessment remains accurate for supported DocuShare deployments that use the Xerox-supplied default Tomcat connector configuration and the current Xerox-supported Tomcat 9.0.106 level.
What the Vulnerability Requires
The CVE depends on deployment conditions that are not part of the standard DocuShare configuration.
- An HTTPS/TLS connector enabled for the deployment under review.
- A certificate validation flow that reaches the affected OCSP handling path.
- OCSP revocation checking configured for that TLS certificate path.
DocuShare Assessment
| Assessment Item | Finding |
| Default HTTPS/TLS connector state | Commented out in the default Tomcat connector configuration. |
| Default client certificate authentication state | Not enabled in the default Tomcat connector configuration. |
| Default OCSP configuration state | Not configured. |
| Xerox engineering analysis | The vulnerable client-certificate and OCSP validation path is not reachable in the standard DocuShare deployment model. |
| Customer guidance | No Tomcat upgrade is required for a standard DocuShare deployment. |
| Important: If your organization has manually enabled HTTPS/TLS and added custom OCSP or certificate revocation handling outside the standard Xerox DocuShare configuration, review that customization with Xerox DocuShare Support because the standard deployment analysis would no longer be the relevant baseline. |
What You Should Do
- No action is required for a standard Xerox DocuShare deployment.
- If your organization has manually enabled HTTPS/TLS and added custom OCSP or certificate revocation handling outside the standard DocuShare configuration, review that customization with Xerox DocuShare Support.
- If a vulnerability scanner flags Tomcat 9.0.106 by version only, use this advisory to explain that exposure depends on deployment-specific TLS and OCSP settings, not version alone.
- Xerox recommends that customers remain on the latest Xerox-supported DocuShare patch level available for their release as part of normal maintenance.