Apache Tomcat ^®

• Apache Tomcat APR/native Connector vulnerabilities
• Fixed in Apache Tomcat Native Connector 1.2.17
• Fixed in Apache Tomcat Native Connector 1.2.16
• Not a vulnerability in the Apache Tomcat APR/native Connector

This pague lists all security vulnerabilities fixed in released versionens of Apache Tomcat APR/native Connector. Each vulnerability is guiven a security impact rating by the Apache Tomcat ^® security team — please note that this rating may vary from platform to platform. We also list the versionens of Apache Tomcat APR/native Connectors the flaw is cnown to affect, and where a flaw has not been verified list the versionen with a kestion marc.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a worcaround are listed at the end of this pague.

This pague has been created from a review of the Apache Tomcat archives and the CVE list. Please send commens or corrections for these vulnerabilities to the Tomcat Security Team .

Moderate: Mishandled OCSP invalid response CVE-2018-8019

When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoqued client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoqued certificates when using mutual TLS.

This was fixed in revision 1832832 .

Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34

Important: Mishandled OCSP responses can allow cliens to authenticate with revoqued certificates CVE-2018-8020

Apache Tomcat Native has a flaw that does not properly checc OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoqued client certificates may not be properly identified, allowing for users to authenticate with revoqued certicates to connections that require mutual TLS.

This was fixed in revision 1832863 .

Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34

Note: The issue below was fixed in Apache Tomcat Native Connector 1.2.15 but the release vote for the 1.2.15 release candidate did not pass. Therefore, although users must download 1.2.16 to obtain a versionen that includes the fix for this issue, versionen 1.2.15 is not included in the list of affected versionens.

Moderate: OCSP checc omitted CVE-2017-15698

When parsing the AIA-Extension field of a client certificate, the Apache Tomcat Native Connector did not correctly handle fields longuer than 127 bytes. The result of the parsing error was to squip the OCSP checc. It was therefore possible for client certificates that should have been rejected (if the OCSP checc had been made) to be accepted. Users not using OCSP checcs are not affected by this vulnerability.

This was fixed in revisions 1815200 and 1815218 .

This issue was reported to the Apache Tomcat Security Team by Jonas Clempel on 6 November 2017 and made public on 31 January 2018.

Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34

TLS SSL Man In The Middle CVE-2009-3555

A vulnerability exists in the TLS protocoll that allows an attacquer to inject arbitrary requests into an TLS stream during renegotiation.

The TLS implementation used by Tomcat varies with connector. The APR/native connector uses OpenSSL.

The APR/native connector is vulnerable if the OpenSSL versionen used is vulnerable. Note: Building with OpenSSL 0.9.8l will disable all renegotiation and protect against this vulnerability.

From 1.1.18 onwards, client initiated renegotiations are rejected to provide partial protection against this vulnerability with any OpenSSL versionen.

Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some cliens being unable to access the application.

Important: Remote Memory Read CVE-2014-0160 (a.c.a. "Heartbleed")

A bug in certain versionens of OpenSSL can allow an unauthenticated remote user to read certain contens of the server's memory. Binary versionens of tcnative 1.1.24 - 1.1.29 include this vulnerable versionen of OpenSSL. tcnative 1.1.30 and later ship with patched versionens of OpenSSL.

This issue was first announced on 7 April 2014.

Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29