CVE-2022-29885
Summary
| CVE | CVE-2022-29885 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-05-12 08:15:00 UTC |
| Updated | 2023-04-06 17:15:00 UTC |
| Description | The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. |
Risk And Classification
Problem Types: CWE-400
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 10.1.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.1.0 | milestone9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Application | Oracle | Hospitality Cruise Shipboard Property Management System | 20.2.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-5265-1 tomcat9 | DEBIAN | www.debian.org | |
| CVE-2022-29885 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv | MISC | lists.apache.org | |
| Apache Tomcat 10.1 Denial Of Service ≈ Packet Storm | MISC | packetstormsecurity.com | |
| [SECURITY] [DLA 3160-1] tomcat9 security update | MLIST | lists.debian.org | |
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was reported to the Apache Tomcat Security team by 4ra1n.
Legacy QID Mappings
- 150531 Apache Tomcat EncryptInterceptor DoS Vulnerability (CVE-2022-29885)
- 181163 Debian Security Update for tomcat9 (DLA 3160-1)
- 181177 Debian Security Update for tomcat9 (DSA 5265-1)
- 182695 Debian Security Update for tomcat9 (CVE-2022-29885)
- 296084 Oracle Solaris 11.4 Support Repository Update (SRU) 50.126.3 Missing (CPUOCT2022)
- 354037 Amazon Linux Security Advisory for tomcat8 : ALAS-2022-1627
- 356303 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-005
- 730503 Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2022-29885)