www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted
Date Wed, 31 Jan 2018 10:22:22 GMT
CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 1.2.0 to 1.2.14
Apache Tomcat Native 1.1.23 to 1.1.34

Description:
When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted.
Users not using OCSP checks are not affected by this vulnerability.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 1.2.16 or later
  Note: 1.2.15 was not released
        This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24
        onwards, 8.0.48 onwards and 7.0.84 onwards.

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by Jonas Klempel.

History:
2018-01-31 Original advisory

References:
[1] http://tomcat.apache.org/security-native.html

Mime
View raw message