vulnerability
Ubuntu: (CVE-2017-15698): tomcat-native vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Jan 31, 2018 | Jun 26, 2025 | Jun 26, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Jan 31, 2018
Added
Jun 26, 2025
Modified
Jun 26, 2025
Description
When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.
Solution
no-fix-ubuntu-package
References
- CVE-2017-15698
- https://attackerkb.com/topics/CVE-2017-15698
- URL-http://svn.apache.org/r1815200
- URL-http://svn.apache.org/r1815218
- URL-https://lists.apache.org/thread.html/6eb0a53e5827d97db1a05c736d01101fec21202a5b8fc77bb0eaaed8@%3Cannounce.tomcat.apache.org%3E
- URL-https://www.cve.org/CVERecord?id=CVE-2017-15698
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.