Flaw in Apache Tomcat Native Allows Authentication with Revoked Client Certificates
CVE-2018-8020

7.4HIGH

Key Information:

Vendor

Apache
Status
Apache Tomcat Native
Vendor
CVE Published:
31 July 2018

What is CVE-2018-8020?

Apache Tomcat Native versions 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 contain a vulnerability that incorrectly processes OCSP pre-produced responses. This oversight can lead to scenarios where revoked client certificates are improperly authenticated, allowing unauthorized users to access connections that rely on mutual TLS authentication. This vulnerability primarily affects users employing OCSP checks for certificate validation, potentially exposing sensitive information and compromising server security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Tomcat Native 1.2.0 to 1.2.16

Apache Tomcat Native 1.1.23 to 1.1.34

References

http://mail-archives.us.apache.org/mod_mbox/www-announce/...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:2469
vendor-advisoryx_refsource_REDHAT
http://www.securityfocus.com/bid/104934
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.