PT-2018-18385 · Apache+2 · Apache Tomcat Native+2
Crazywen
·
Publicado
2018-07-31
·
Atualizado
2021-09-23
·
CVE-2018-8020
CVSS v3.1
7.4
Alta
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Tomcat Native versions 1.1.23 through 1.1.34
Apache Tomcat Native versions 1.2.0 through 1.2.16
Description:
The issue arises from a flaw in properly checking OCSP pre-produced responses, which are lists of certificate statuses. This flaw can lead to revoked client certificates not being properly identified, allowing users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this issue.
Recommendations:
For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates.
For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates.
As a temporary workaround, consider disabling OCSP checks until a patch is available.
Correção
Improper Certificate Validation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Apache Tomcat Native
Suse