When using pre-produced responses from an OCSP responder, Tomcat Native did not correctly validate the status of certificates. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS.
bugzilla.redhat.com/show_bug.cgi?id=1581569
www.cve.org/CVERecord?id=CVE-2018-8020 https://nvd.nist.gov/vuln/detail/CVE-2018-8020 mail-archives.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180721095943.GA24320%40minotaur.apache.org%3E http://tomcat.apache.org/security-native.html#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17