CVE-2022-29885

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
apachetomcat
8.5.38 ≤
𝑥
≤ 8.5.78
apachetomcat
9.0.13 ≤
𝑥
≤ 9.0.62
apachetomcat
10.0.0 ≤
𝑥
≤ 10.0.20
apachetomcat
10.1.0:milestone1
apachetomcat
10.1.0:milestone10
apachetomcat
10.1.0:milestone11
apachetomcat
10.1.0:milestone12
apachetomcat
10.1.0:milestone13
apachetomcat
10.1.0:milestone14
apachetomcat
10.1.0:milestone2
apachetomcat
10.1.0:milestone3
apachetomcat
10.1.0:milestone4
apachetomcat
10.1.0:milestone5
apachetomcat
10.1.0:milestone6
apachetomcat
10.1.0:milestone7
apachetomcat
10.1.0:milestone8
apachetomcat
10.1.0:milestone9
debiandebian_linux
10.0
debiandebian_linux
11.0
oraclehospitality_cruise_shipboard_property_management_system
20.2.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
stretch
postponed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat8
bionic
Fixed 8.5.39-1ubuntu1~18.04.3+esm2
released
xenial
not-affected
tomcat9
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
Fixed 9.0.58-1ubuntu0.1+esm2
released
impish
ignored
focal
Fixed 9.0.31-1ubuntu0.6
released
bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm2
released
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
https://security.netapp.com/advisory/ntap-20220629-0002/
https://www.debian.org/security/2022/dsa-5265
https://www.oracle.com/security-alerts/cpujul2022.html
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
https://security.netapp.com/advisory/ntap-20220629-0002/
https://www.debian.org/security/2022/dsa-5265
https://www.oracle.com/security-alerts/cpujul2022.html