Apache Tomcat Native OCSP verification bypass
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. The vulnerable code is in the process_ocsp_response() function in sslutils.c, which was missing calls to OCSP_basic_verify(), OCSP_check_validity(), and OCSP_check_nonce(). This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11. The …