PT-2018-18384 · Apache+2 · Apache Tomcat Native+2
Coty Sutherland
·
Published
2018-07-31
·
Updated
2021-09-23
·
CVE-2018-8019
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Tomcat Native versions 1.1.23 through 1.1.34
Apache Tomcat Native versions 1.2.0 through 1.2.16
Description:
The issue arises when using an OCSP responder, where Apache Tomcat Native did not correctly handle invalid responses. This led to revoked client certificates being incorrectly identified, allowing users to authenticate with revoked certificates when using mutual TLS.
Recommendations:
For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates.
For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates.
As a temporary workaround, consider disabling OCSP checks until a patch is available.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Apache Tomcat Native
Suse