Crazywen

Name of the Vulnerable Software and Affected Versions: Apache Tomcat Native versions 1.1.23 through 1.1.34 Apache Tomcat Native versions 1.2.0 through 1.2.16 Description: The issue arises from a flaw in properly checking OCSP pre-produced responses, which are lists of certificate statuses. This flaw can lead to revoked client certificates not being properly identified, allowing users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this issue. Recommendations: For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates. For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates. As a temporary workaround, consider disabling OCSP checks until a patch is available.