Apache Software Foundation has released new versions of Apache Tomcat Native to address multiple vulnerabilities which are caused by the improper handling of invalid Online Certificate Status Protocol (OCSP) responses. The flaw may allow attackers to authenticate with revoked certificates when using mutual TLS.
Successful exploitation of the vulnerabilities could lead to take control of an affected system.
Administrators of the affected systems should upgrade the Apache Tomcat Native to address the issues. The updates are available at:
http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17
https://www.hkcert.org/my_url/en/alert/18082002
https://www.us-cert.gov/ncas/current-activity/2018/08/17/Apache-Releases-Security-Updates-Tomcat-Native
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020