Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Native Connector Certificate Parsing Error Lets Remote Users Bypass OCSP Checks on the Target System
SecurityTracker Alert ID:  1040390
SecurityTracker URL:
CVE Reference:   CVE-2017-15698   (Links to External Site)
Date:  Feb 19 2018
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tomcat Native 1.2.0 - 1.2.14, 1.1.23 - 1.1.34
Description:   A vulnerability was reported in Apache Tomcat Native Connector. A remote user can bypass security controls on the target system.

A remote user can create a client certificate with a specially crafted AIA-Extension field that, when parsed by Tomcat Native, will trigger a parser error and cause the OCSP check to be skipped.

Systems that use OCSP checks are affected.

Jonas Klempel reported this vulnerability.

Impact:   A remote user can bypass OCSP security checks on the target system.
Solution:   The vendor has issued a fix (Tomcat Native 1.2.16; Apache Tomcat 7.0.84, 8.0.48, 8.5.24, 9.0.2) [in November 2017].

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted

CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 1.2.0 to 1.2.14
Apache Tomcat Native 1.1.23 to 1.1.34

When parsing the AIA-Extension field of a client certificate, Apache
Tomcat Native did not correctly handle fields longer than 127 bytes. The
result of the parsing error was to skip the OCSP check. It was therefore
possible for client certificates that should have been rejected (if the
OCSP check had been made) to be accepted.
Users not using OCSP checks are not affected by this vulnerability.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 1.2.16 or later
  Note: 1.2.15 was not released
        This version was included in Apache Tomcat 9.0.2 onwards, 8.5.24
        onwards, 8.0.48 onwards and 7.0.84 onwards.

This issue was reported responsibly to the Apache Tomcat Security Team
by Jonas Klempel.

2018-01-31 Original advisory



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC