CVE-2018-8019 — HIGH (7.4) — White Hats Nepal

Q: How severe is CVE-2018-8019?

CVE-2018-8019 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-8019?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Tomcat Native.

Vulnerability Description

When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability.

CVSS Score

7.4

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Apache	Tomcat Native	>= 1.1.23, <= 1.1.34

Related Weaknesses (CWE)

CWE-295

References

http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095MitigationVendor Advisory
http://www.securityfocus.com/bid/104936Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041507Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2469Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2470Third Party Advisory
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade0
https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b7
https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ec
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08
https://lists.debian.org/debian-lts-announce/2018/08/msg00023.htmlThird Party Advisory
http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095MitigationVendor Advisory
http://www.securityfocus.com/bid/104936Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041507Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2469Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2470Third Party Advisory

FAQ

What is CVE-2018-8019?

CVE-2018-8019 is a vulnerability with a CVSS score of 7.4 (HIGH). When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identi...

How severe is CVE-2018-8019?

CVE-2018-8019 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-8019?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Apache Tomcat Native.