4.3
MEDIUM

CVE-2018-8020

Published: 31/07/2018 Updated: 12/10/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2

Vulnerability Summary

Apache Tomcat Native Connector CVE-2018-8020 Remote Security Vulnerability

Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

A vulnerability in Apache Tomcat Native could allow an authenticated, remote attacker to gain unauthorized access to a targeted system. The vulnerability exists because the affected software improperly handles Online Certificate Status Protocol (OCSP) pre-produced responses. As a result, revoked certificates may not be properly identified. An attacker could exploit this vulnerability by using a revoked certificate to authenticate to a targeted system that uses a mutual Transport Layer Security (TLS) connection. A successful exploit could allow the attacker to gain unauthorized access to the system, which could be used to conduct further attacks. Apache has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat Native1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16
DebianDebian Linux8.0

Vendor Advisories

Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 4 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this release as ...
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 4 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impact of Important A Common Vulner ...
When using pre-produced responses from an OCSP responder, Tomcat Native did not correctly validate the status of certificates This allowed for revoked client certificates to be incorrectly identified It was therefore possible for users to authenticate with revoked certificates when using mutual TLS ...

References