ESB-2018.0423 - [Debian] tomcat-native: Unauthorised access - Existing account 2018-02-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0423
                          tomcat security update
                             12 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat-native
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15698  

Reference:         ESB-2018.0316

Original Bulletin: 
   https://security-tracker.debian.org/tracker/CVE-2017-15698

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tomcat-native
Version        : 1.1.24-1+deb7u1
CVE ID         : CVE-2017-15698

Jonas Klempel discovered that, when parsing the AIA-Extension field of
a client certificate, Apache Tomcat Native did not correctly handle
fields longer than 127 bytes. The result of the parsing error was to
skip the
OCSP check. It was therefore possible for client certificates that
should have been rejected (if the OCSP check had been made) to be
accepted. Users not using OCSP checks are not affected by this
vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.24-1+deb7u1.

We recommend that you upgrade your tomcat-native packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAns5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRbFw//RorrEHRvPNRRVC5sPB/KL6gA3G1NkUu2up4Yyh78XEaomfs4Gatbsbpe
GGdRUyLo/mH85TtYfAofxuZ041gQt2Z8w7prY5SXKUlwlT6Zo7BFNheh9RUQYPJU
0EzF6J83Pf8WFo2AktxK6PxWtHII8K+J0qidMUrM3h6kdU1/9kk9qogoPtzpE2Li
dx2UVkCSBlyBpVCGWQ1eI/Wi5nxQur50CwOGhMi2zBLuxY8Uy6+UkHeJl32F1U5e
nB9xkShD2aHC8QwCVmEP4WKZ/cEDdlOEitmTWk8UlYGluIlBDtF9e8MQrTWwwRHK
KawOfEntriHwa2ETJLTfUyZ2PxQQpjLiKdAQhViCx52MDsaRRe6boruLHFRfVHAS
NdjhKGNaUY5Qczu15Jwah2ODZPbRUzrtrMyZsy4bJ1t6/Xirh9I4+0Od645wGUVg
TZTivuAKx9SDOYz9fUQMSyj/F2AVpzXHxmGmZoEB6QCNwLxVzcztY0xVwn7PlTCs
Iiuo/F5/VYWA8Mc+cDruSOcZwLQHbVZ5hNWxcwik4GOFzK9TnQsxu2iV+HnyjOyd
GiIShKNPh0ndDXUx0OH9RwpCK4ZbUhcrF0+LXi6LPUu47PbpOo8uYfBVmw+oU1Tv
UWrIKKANcA2rWxpbpK3CW0ufuKOcWqnROJYjP2D22LCqzDzFIBk=
=02pw
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoE5mIx+lLeg9Ub1AQglgxAAos/3Q8HRobr5VWDXO9yz5TO9i3pSgQXR
5WdGwyNA7HlUOhSO8KNTvL97o8FakpjhIFPmT0W8hegOmDZOUrJPAAtCigRHeoPA
fBYQfQiRAaSsD5PGGb+Gdtw+CTJLsrWDvRR0O2pOSvKI9tIv4QcepFLjbxZmKMDo
6NVXSCQRJFYnfmPJOyogpNzM+8XHxAHo3AJ2C9s9Q6OPRMqJiSeA0xWIswK1k9ZW
6xF70f6NdE60eGJQyX1riVuuD4sufv35ydRDc+tB9SyzBv5IQHYq6I2cuE3N3z1i
STxqTXxJtllvQuZ7AsZU1X5NExeCMqnuOJeZPyxg4ijqU7wkVnftzArZr2e+/IN7
PbzC6yghopK4zHqFQ01hViwmN3mjaP7O0Oxc17mhXl7O7kBdAhyRjExatlfNuPIU
2OJgE6tiqKYDpTdb0HoGLukn6yDPndw7+AS8m1PSwPMGaNV1/rMN4n5if2+BljFI
p0p7Lj/yRoRQlVt9YkMDqCX20iuw8QSrcc3nGX8NE4dxVllO+/JhAMBXjdgTsmX5
TEgf/oa9NvJPdSs6n1bi9SI1Sw3NquttCwFdezu5UlZVro/j3m/fh3ORKmwfE2pf
vzPqT6p1AgU0+TykftGnHKCaP8qhpEUOocaSYnREW1TGARpAAzxjlxz7sFTPPLKz
iYvuQe9kWlI=
=LSPP
-----END PGP SIGNATURE-----

« Back to bulletins