製品・ソフトウェアに関する情報
Apache Tomcat Native Connector における証明書検証に関する脆弱性
Title Apache Tomcat Native Connector における証明書検証に関する脆弱性
Summary

Apache Tomcat Native Connector には、証明書検証に関する脆弱性が存在します。

Possible impacts 情報を改ざんされる可能性があります。
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。

Publication Date Oct. 21, 2017, midnight
Registration Date March 13, 2018, 3:04 p.m.
Last Update March 13, 2018, 3:04 p.m.
CVSS3.0 : 警告
Score 5.9
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS2.0 : 警告
Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Affected System
Apache Software Foundation
Apache Tomcat Native Connector 1.1.23 から 1.1.34
Apache Tomcat Native Connector 1.2.0 から 1.2.14
Debian
Debian GNU/Linux 8.0
Debian GNU/Linux 9.0
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
No Changed Details Date of change
1 [2018年03月13日]
  掲載
March 13, 2018, 3:04 p.m.

NVD Vulnerability Information
CVE-2017-15698
Summary

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

Publication Date Jan. 31, 2018, 11:29 p.m.
Registration Date Jan. 26, 2021, 1:17 p.m.
Last Update Nov. 21, 2024, 12:15 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:* 1.1.23 1.1.34
cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:* 1.2.0 1.2.14
Configuration2 or higher or less more than less than
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List