CVE-2017-15698

Impact:
Moderate
Public Date:
2018-01-31
CWE:
CWE-299
Bugzilla:
1540824: CVE-2017-15698 tomcat-native: Mishandling of client certificates can allow for OCSP check bypass

The MITRE CVE dictionary describes this issue as:

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

Find out more about CVE-2017-15698 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.4
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Server 3.1 for RHEL 7 (tomcat-native) RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 for RHEL 6 (tomcat-native) RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 RHSA-2018:0465 2018-03-07

Affected Packages State

Platform Package State
Red Hat JBoss EWS 2 tomcat-native Will not fix
Red Hat JBoss EAP 6 tomcat-native Will not fix
Red Hat JBoss EAP 5 tomcat-native Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.