Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
BID:105851
Info
Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
| Bugtraq ID: | 105851 |
| Class: | Design Error |
| CVE: |
CVE-2017-15698 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 31 2018 12:00AM |
| Updated: | Jan 31 2018 12:00AM |
| Credit: | Jonas Klempel |
| Vulnerable: |
Redhat JBoss EWS 2 Redhat JBoss Enterprise Web Server Text-Only Advisories 0 Redhat JBoss Enterprise Web Server 3 for RHEL 7 0 Redhat JBoss Enterprise Web Server 3 for RHEL 6 0 Redhat Jboss EAP 6 Redhat Jboss EAP 5 Debian Linux 9.0 Debian Linux 8.0 Apache Tomcat Native Library 1.2.14 Apache Tomcat Native Library 1.2 Apache Tomcat Native Library 1.1.34 Apache Tomcat Native Library 1.1.30 Apache Tomcat Native Library 1.1.29 Apache Tomcat Native Library 1.1.24 Apache Tomcat Native Library 1.1.23 |
| Not Vulnerable: | |
Discussion
Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
Apache Tomcat Native Connector is prone to a security-bypass vulnerability.
An attacker can exploit this issue to perform man-in-the-middle attacks and perform certain unauthorized actions, which will aid in further attacks.
Tomcat Native 1.2.0 through 1.2.14, and 1.1.23 through 1.1.34 are vulnerable.
Apache Tomcat Native Connector is prone to a security-bypass vulnerability.
An attacker can exploit this issue to perform man-in-the-middle attacks and perform certain unauthorized actions, which will aid in further attacks.
Tomcat Native 1.2.0 through 1.2.14, and 1.1.23 through 1.1.34 are vulnerable.
Exploit / POC
Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
An attacker can use readily available tools to exploit this issue.
An attacker can use readily available tools to exploit this issue.
Solution / Fix
Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Apache Tomcat Native Connector CVE-2017-15698 Certificate Validation Security Bypass Vulnerability
References:
References:
- [SECURITY] CVE-2017-15698 Apache Tomcat Native Connector - OCSP check omitted (Apache)
- Apache Homepage (Apache)
- [SECURITY] [DLA 1276-1] tomcat-native security update (Debian)
- CVE-2017-15698 (Redhat)
- CVE-2017-15698 tomcat-native: Mishandling of client certificates (Redhat)
- DSA-4118-1 tomcat-native -- security update (Debian)
- RHSA-2018:0465 - Security Advisory (Redhat)
- RHSA-2018:0466 - Security Advisory (Redhat)
- SYMSA1463: Apache Tomcat Vulnerabilities Jan-Aug 2018 (Symantec)