Apache Tomcat Native has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certicates to connections that require mutual TLS.
Acknowledgments: Name: Coty Sutherland (Red Hat)
External References: http://mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17 Upstream Patch: http://svn.apache.org/viewvc?view=revision&revision=1832863
Created tomcat-native tracking bugs for this issue: Affects: epel-all [bug 1610614] Affects: fedora-all [bug 1610613]
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469