Apache Tomcat Native Connector Certificate Parsing Error Lets Remote Users Bypass OCSP Checks on the Target System
SecurityTracker Alert ID: 1040390|
SecurityTracker URL: http://securitytracker.com/id/1040390
(Links to External Site)
Date: Feb 19 2018
Host/resource access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Tomcat Native 1.2.0 - 1.2.14, 1.1.23 - 1.1.34|
A vulnerability was reported in Apache Tomcat Native Connector. A remote user can bypass security controls on the target system.|
A remote user can create a client certificate with a specially crafted AIA-Extension field that, when parsed by Tomcat Native, will trigger a parser error and cause the OCSP check to be skipped.
Systems that use OCSP checks are affected.
Jonas Klempel reported this vulnerability.
A remote user can bypass OCSP security checks on the target system.|
The vendor has issued a fix (Tomcat Native 1.2.16; Apache Tomcat 7.0.84, 8.0.48, 8.5.24, 9.0.2) [in November 2017].|
The vendor advisory is available at:
Vendor URL: tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16 (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted|
CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted
Vendor: The Apache Software Foundation
Apache Tomcat Native 1.2.0 to 1.2.14
Apache Tomcat Native 1.1.23 to 1.1.34
When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted.
Users not using OCSP checks are not affected by this vulnerability.
Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 1.2.16 or later
Note: 1.2.15 was not released
This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24
onwards, 8.0.48 onwards and 7.0.84 onwards.
This issue was reported responsibly to the Apache Tomcat Security Team
by Jonas Klempel.
2018-01-31 Original advisory