SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Native Connector Certificate Parsing Error Lets Remote Users Bypass OCSP Checks on the Target System
SecurityTracker Alert ID:  1040390
SecurityTracker URL:  http://securitytracker.com/id/1040390
CVE Reference:   CVE-2017-15698   (Links to External Site)
Date:  Feb 19 2018
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tomcat Native 1.2.0 - 1.2.14, 1.1.23 - 1.1.34
Description:   A vulnerability was reported in Apache Tomcat Native Connector. A remote user can bypass security controls on the target system.

A remote user can create a client certificate with a specially crafted AIA-Extension field that, when parsed by Tomcat Native, will trigger a parser error and cause the OCSP check to be skipped.

Systems that use OCSP checks are affected.

Jonas Klempel reported this vulnerability.

Impact:   A remote user can bypass OCSP security checks on the target system.
Solution:   The vendor has issued a fix (Tomcat Native 1.2.16; Apache Tomcat 7.0.84, 8.0.48, 8.5.24, 9.0.2) [in November 2017].

The vendor advisory is available at:

http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16

Vendor URL:  tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted


CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 1.2.0 to 1.2.14
Apache Tomcat Native 1.1.23 to 1.1.34

Description:
When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted.
Users not using OCSP checks are not affected by this vulnerability.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 1.2.16 or later
  Note: 1.2.15 was not released
        This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24
        onwards, 8.0.48 onwards and 7.0.84 onwards.

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by Jonas Klempel.

History:
2018-01-31 Original advisory

References:
[1] http://tomcat.apache.org/security-native.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC