{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-29885", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T06:33:42.950Z", "dateReserved": "2022-04-28T00:00:00", "datePublished": "2022-05-12T00:00:00"}, "containers": {"cna": {"title": "EncryptInterceptor does not provide complete protection on insecure networks", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-04-06T00:00:00"}, "descriptions": [{"lang": "en", "value": "The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"version": "Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14", "status": "affected"}, {"version": "Apache Tomcat 10 10.0.0-M1 to 10.0.20", "status": "affected"}, {"version": "Apache Tomcat 9 9.0.13 to 9.0.62", "status": "affected"}, {"version": "Apache Tomcat 8.5 8.5.38 to 8.5.78 ", "status": "affected"}]}], "references": [{"url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20220629-0002/"}, {"name": "[debian-lts-announce] 20221026 [SECURITY] [DLA 3160-1] tomcat9 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"}, {"name": "DSA-5265", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5265"}, {"url": "http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html"}], "credits": [{"lang": "en", "value": "This issue was reported to the Apache Tomcat Security team by 4ra1n."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "low"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:33:42.950Z"}, "title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20220629-0002/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221026 [SECURITY] [DLA 3160-1] tomcat9 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"}, {"name": "DSA-5265", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5265"}, {"url": "http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF71095E-12F3-4461-BAE9-1EB65BA50916", "versionEndIncluding": "8.5.78", "versionStartIncluding": "8.5.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "F31172AB-31C6-4F32-B9CC-2F363A9DEF94", "versionEndIncluding": "9.0.62", "versionStartIncluding": "9.0.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFC41BAB-1EA0-444F-AD16-4A341BD642E9", "versionEndIncluding": "10.0.20", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "C29D8C0E-6317-4512-BEEC-42A0FE0D5B73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks."}, {"lang": "es", "value": "La documentaci\u00f3n de Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M14, 10.0.0-M1 a 10.0.20, 9.0.13 a 9.0.62 y 8.5.38 a 8.5.78, para el EncryptInterceptor indicaba incorrectamente que permit\u00eda que el clustering de Tomcat fuera ejecutado sobre una red no confiable. Esto no es correcto. Mientras que el EncryptInterceptor proporciona confidencialidad y protecci\u00f3n de la integridad, no protege contra todos los riesgos asociados con la ejecuci\u00f3n de cualquier red no confiable, particularmente los riesgos de DoS"}], "id": "CVE-2022-29885", "lastModified": "2023-04-06T17:15:09.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-12T08:15:07.630", "references": [{"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220629-0002/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5265"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"bugzilla": {"description": "tomcat: EncryptInterceptor documentation mistake", "id": "2093014", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2093014"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1112", "details": ["The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks."], "mitigation": {"lang": "en:us", "value": "For customers who use clustering on an untrusted network and require full protection, an alternate solution is recommended such as using a VPN."}, "name": "CVE-2022-29885", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Will not fix", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Will not fix", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Will not fix", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2022-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-29885\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29885\nhttps://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv"], "statement": "This flaw describes a mistake made in the documentation which overstated the protection provided by the clustering feature. As the impact is Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw is marked as will not fix for all Red Hat products. This may be fixed in a future release.", "threat_severity": "Low"}