Jonas Klempel

Name of the Vulnerable Software and Affected Versions: Apache Tomcat Native Connector versions 1.1.23 through 1.1.34 Apache Tomcat Native Connector versions 1.2.0 through 1.2.14 Description: The issue arises when parsing the AIA-Extension field of a client certificate. If the field is longer than 127 bytes, it is not handled correctly, resulting in the skipping of the OCSP check. This allows client certificates that should be rejected to be accepted, provided that OCSP checks are in use. Recommendations: For Apache Tomcat Native Connector versions 1.1.23 through 1.1.34, update to a version that correctly handles the AIA-Extension field. For Apache Tomcat Native Connector versions 1.2.0 through 1.2.14, update to a version that correctly handles the AIA-Extension field. As a temporary workaround, consider disabling the use of client certificates that rely on OCSP checks until a patch is available.