Table of Contents

Apache Tomcat APR/native Connector vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat APR/native Connector. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat APR/native Connectors the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

Fixed in Apache Tomcat Native Connector 1.2.17

Moderate: Mishandled OCSP invalid response CVE-2018-8019

When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS.

This was fixed in revision 1832832.

Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34

Important: Mishandled OCSP responses can allow clients to authenticate with revoked certificates CVE-2018-8020

Apache Tomcat Native has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certicates to connections that require mutual TLS.

This was fixed in revision 1832863.

Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34

Fixed in Apache Tomcat Native Connector 1.2.16

Note: The issue below was fixed in Apache Tomcat Native Connector 1.2.15 but the release vote for the 1.2.15 release candidate did not pass. Therefore, although users must download 1.2.16 to obtain a version that includes the fix for this issue, version 1.2.15 is not included in the list of affected versions.

Moderate: OCSP check omitted CVE-2017-15698

When parsing the AIA-Extension field of a client certificate, the Apache Tomcat Native Connector did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

This was fixed in revisions 1815200 and 1815218.

This issue was reported to the Apache Tomcat Security Team by Jonas Klempel on 6 November 2017 and made public on 31 January 2018.

Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34

Not a vulnerability in the Apache Tomcat APR/native Connector

TLS SSL Man In The Middle CVE-2009-3555

A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation.

The TLS implementation used by Tomcat varies with connector. The APR/native connector uses OpenSSL.

The APR/native connector is vulnerable if the OpenSSL version used is vulnerable. Note: Building with OpenSSL 0.9.8l will disable all renegotiation and protect against this vulnerability.

From 1.1.18 onwards, client initiated renegotiations are rejected to provide partial protection against this vulnerability with any OpenSSL version.

Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some clients being unable to access the application.

Important: Remote Memory Read CVE-2014-0160 (a.k.a. "Heartbleed")

A bug in certain versions of OpenSSL can allow an unauthenticated remote user to read certain contents of the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29 include this vulnerable version of OpenSSL. tcnative 1.1.30 and later ship with patched versions of OpenSSL.

An explanation of how to deterine whether you are vulnerable and what steps to take, see the Tomcat Wiki's Heartbleed page.

This issue was first announced on 7 April 2014.

Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29