Jonas Klempel reported that tomcat-native, a library giving Tomcat access to the Apache Portable Runtime (APR) library's network connection (socket) implementation and random-number generator, does not properly handle fields longer than 127 bytes when parsing the AIA-Extension field of a client certificate. If OCSP checks are used, this could result in client certificates that should have been rejected to be accepted.

Mishandling of client certificates can allow for OCSP check bypass :

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. (CVE-2017-15698)

Security fix for CVE-2017-15698

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libtcnative-1-0 to version 1.1.34 fixes the following issues :

CVE-2017-15698: Fixed an improper handling of fields with more than 127 bytes which could allow invalid client certificates to be accepted (bsc#1078679).

CVE-2018-8019: When using an OCSP responder did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS (bsc#1103348).

CVE-2018-8020: Did not properly check OCSP pre-produced responses.
Revoked client certificates may have not been properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS (bsc#1103347).

For a complete list of changes please see http://tomcat.apache.org/native-1.1-doc/miscellaneous/changelog.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jonas Klempel discovered that, when parsing the AIA-Extension field of a client certificate, Apache Tomcat Native did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.24-1+deb7u1.

We recommend that you upgrade your tomcat-native packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es) :

* apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613)

* tomcat: Remote Code Execution via JSP Upload (CVE-2017-12615)

* tomcat: Information Disclosure when using VirtualDirContext (CVE-2017-12616)

* tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

* tomcat-native: Mishandling of client certificates can allow for OCSP check bypass (CVE-2017-15698)

* tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)

* tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

ID	Name	Product	Family	Published	Updated	Severity
106876	Debian DSA-4118-1 : tomcat-native - security update	Nessus	Debian Local Security Checks	2/20/2018	11/13/2018	medium
107236	Amazon Linux AMI : tomcat-native (ALAS-2018-965)	Nessus	Amazon Linux Local Security Checks	3/9/2018	4/18/2018	medium
106730	Fedora 26 : tomcat-native (2018-318b5d74bd)	Nessus	Fedora Local Security Checks	2/12/2018	1/6/2021	medium
123971	SUSE SLES11 Security Update : libtcnative-1-0 (SUSE-SU-2019:14014-1)	Nessus	SuSE Local Security Checks	4/10/2019	1/26/2022	high
106724	Debian DLA-1276-1 : tomcat-native security update	Nessus	Debian Local Security Checks	2/12/2018	1/11/2021	medium
106731	Fedora 27 : tomcat-native (2018-7b1517bc6e)	Nessus	Fedora Local Security Checks	2/12/2018	1/6/2021	medium
107208	RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 2 (RHSA-2018:0466)	Nessus	Red Hat Local Security Checks	3/8/2018	4/25/2023	high

Detections

Analytics

Plugins Search

medium

medium

medium

high

medium

medium

high