When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

The version of Symantec Content Analysis running on the   remote host is prior to version 2.3.5.1. It is, therefore,   affected by multiple vulnerabilities:
    - An improper handing of overflow in the UTF-8 decoder       with supplementary characters can lead to an infinite       loop in the decoder causing a Denial of Service.
      (CVE-2018-1336)

    - When using an OCSP responder Apache Tomcat Native       1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly       handle invalid responses. This allowed for revoked client       certificates to be incorrectly identified. It was therefore       possible for users to authenticate with revoked certificates       when using mutual TLS.(CVE-2018-8019)       
    - Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has       a flaw that does not properly check OCSP pre-produced responses,       which are lists (multiple entries) of certificate statuses.
      (CVE-2018-8020)

    - The host name verification when using TLS with the       WebSocket client was missing. It is now enabled by       default. (CVE-2018-8034)

This update for libtcnative-1-0 to version 1.1.34 fixes the following issues :

CVE-2017-15698: Fixed an improper handling of fields with more than 127 bytes which could allow invalid client certificates to be accepted (bsc#1078679).

CVE-2018-8019: When using an OCSP responder did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS (bsc#1103348).

CVE-2018-8020: Did not properly check OCSP pre-produced responses.
Revoked client certificates may have not been properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS (bsc#1103347).

For a complete list of changes please see http://tomcat.apache.org/native-1.1-doc/miscellaneous/changelog.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

For Debian 8 'Jessie', these problems have been fixed in version 1.1.32~repack-2+deb8u2.

We recommend that you upgrade your tomcat-native packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2469 advisory.

  - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

  - tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)

  - tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates     (CVE-2018-8020)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
125550	Symantec Content Analysis < 2.3.5.1 affected by Multiple Vulnerabilities (SYMSA1463)	Nessus	Misc.	high
123971	SUSE SLES11 Security Update : libtcnative-1-0 (SUSE-SU-2019:14014-1)	Nessus	SuSE Local Security Checks	high
112065	Debian DLA-1475-1 : tomcat-native security update	Nessus	Debian Local Security Checks	high
111804	RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 4 (RHSA-2018:2469)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2018-8019

high

Tenable Plugins

high

high

high

critical