You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2018/01/31 10:22:22 UTC
[SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check
omitted
CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat Native 1.2.0 to 1.2.14
Apache Tomcat Native 1.1.23 to 1.1.34
Description:
When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted.
Users not using OCSP checks are not affected by this vulnerability.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 1.2.16 or later
Note: 1.2.15 was not released
This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24
onwards, 8.0.48 onwards and 7.0.84 onwards.
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by Jonas Klempel.
History:
2018-01-31 Original advisory
References:
[1] http://tomcat.apache.org/security-native.html