PT-2018-18384 · Apache+2 · Apache Tomcat Native+2
Coty Sutherland
·
Publicado
2018-07-31
·
Atualizado
2021-09-23
·
CVE-2018-8019
CVSS v3.1
7.4
Alta
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Tomcat Native versions 1.1.23 through 1.1.34
Apache Tomcat Native versions 1.2.0 through 1.2.16
Description:
The issue arises when using an OCSP responder, where Apache Tomcat Native did not correctly handle invalid responses. This led to revoked client certificates being incorrectly identified, allowing users to authenticate with revoked certificates when using mutual TLS.
Recommendations:
For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates.
For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates.
As a temporary workaround, consider disabling OCSP checks until a patch is available.
Correção
Improper Certificate Validation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Apache Tomcat Native
Suse