Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-15698

Опубликовано: 31 янв. 2018
Источник: redhat
CVSS3: 5.4
EPSS Низкий

Описание

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Enterprise Application Platform 5tomcat-nativeNot affected
Red Hat JBoss Enterprise Application Platform 6tomcat-nativeWill not fix
Red Hat JBoss Enterprise Web Server 2tomcat-nativeWill not fix
Red Hat JBoss Web Server 3.1FixedRHSA-2018:046507.03.2018
Red Hat JBoss Web Server 3 for RHEL 6mod_clusterFixedRHSA-2018:046607.03.2018
Red Hat JBoss Web Server 3 for RHEL 6tomcat7FixedRHSA-2018:046607.03.2018
Red Hat JBoss Web Server 3 for RHEL 6tomcat8FixedRHSA-2018:046607.03.2018
Red Hat JBoss Web Server 3 for RHEL 6tomcat-nativeFixedRHSA-2018:046607.03.2018
Red Hat JBoss Web Server 3 for RHEL 6tomcat-vaultFixedRHSA-2018:046607.03.2018
Red Hat JBoss Web Server 3 for RHEL 7mod_clusterFixedRHSA-2018:046607.03.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-299
https://bugzilla.redhat.com/show_bug.cgi?id=1540824tomcat-native: Mishandling of client certificates can allow for OCSP check bypass

EPSS

Процентиль: 74%
0.00826
Низкий

5.4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-15698

CVSS3: 5.9
ubuntu
около 8 лет назад

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

nvd логотип

CVE-2017-15698

CVSS3: 5.9
nvd
около 8 лет назад

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

debian логотип

CVE-2017-15698

CVSS3: 5.9
debian
около 8 лет назад

When parsing the AIA-Extension field of a client certificate, Apache T ...

github логотип

GHSA-ppg5-72hh-9jj4

CVSS3: 5.9
github
больше 3 лет назад

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

suse-cvrf логотип

SUSE-SU-2019:14014-1

suse-cvrf
почти 7 лет назад

Security update for libtcnative-1-0

EPSS

Процентиль: 74%
0.00826
Низкий

5.4 Medium

CVSS3