Candidate: CVE-2018-8020
PublicDate: 2018-07-31 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020
 https://svn.apache.org/r1832863
 http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721101944.GA45239@minotaur.apache.org%3E
Description:
 Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that
 does not properly check OCSP pre-produced responses, which are lists
 (multiple entries) of certificate statuses. Subsequently, revoked client
 certificates may not be properly identified, allowing for users to
 authenticate with revoked certificates to connections that require mutual
 TLS. Users not using OCSP checks are not affected by this vulnerability.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH]


Patches_tomcat-native:
upstream_tomcat-native: released (1.2.17-1)
precise/esm_tomcat-native: DNE
trusty_tomcat-native: ignored (reached end-of-life)
trusty/esm_tomcat-native: DNE (trusty was needs-triage)
xenial_tomcat-native: ignored (end of standard support, was needed)
bionic_tomcat-native: not-affected (1.2.17-1)
cosmic_tomcat-native: not-affected (1.2.17-1)
disco_tomcat-native: not-affected (1.2.17-1)
eoan_tomcat-native: not-affected (1.2.17-1)
focal_tomcat-native: not-affected (1.2.17-1)
groovy_tomcat-native: not-affected (1.2.17-1)
hirsute_tomcat-native: not-affected (1.2.17-1)
impish_tomcat-native: not-affected (1.2.17-1)
jammy_tomcat-native: not-affected (1.2.17-1)
devel_tomcat-native: not-affected (1.2.17-1)