PT-2018-18385 · Apache+2 · Apache Tomcat Native+2
Crazywen
·
Published
2018-07-31
·
Updated
2021-09-23
·
CVE-2018-8020
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Apache Tomcat Native versions 1.1.23 through 1.1.34
Apache Tomcat Native versions 1.2.0 through 1.2.16
Description:
The issue arises from a flaw in properly checking OCSP pre-produced responses, which are lists of certificate statuses. This flaw can lead to revoked client certificates not being properly identified, allowing users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this issue.
Recommendations:
For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates.
For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that properly checks OCSP pre-produced responses to prevent authentication with revoked certificates.
As a temporary workaround, consider disabling OCSP checks until a patch is available.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Apache Tomcat Native
Suse