CVE-2017-15698

MEDIUM

Apache Tomcat Native 1.1.23-1.1.34 and 1.2.0-1.2.14 - Improper Certificate Validation in AIA-Extension Field

Title source: llm
STIX 2.1

Description

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4118
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/02/msg00011.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0465
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040390
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0466

Scores

CVSS v3 5.9
EPSS 0.0043
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-295
Status published
Products (3)
apache/tomcat_native 1.1.23 - 1.1.34
debian/debian_linux 8.0
debian/debian_linux 9.0
Published Jan 31, 2018
Tracked Since Feb 18, 2026