CVE-2022-29885

Опубликовано: 12 мая 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Средний

Описание

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Ссылки

http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
Mailing List
Mitigation
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
Mailing List
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0002/
Third Party Advisory
https://www.debian.org/security/2022/dsa-5265
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
Mailing List
Mitigation
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
Mailing List
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0002/
Third Party Advisory
https://www.debian.org/security/2022/dsa-5265
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 8.5.38 (включая) до 8.5.78 (включая)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 9.0.13 (включая) до 9.0.62 (включая)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Версия от 10.0.0 (включая) до 10.0.20 (включая)

cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.2.1:*:*:*:*:*:*:*

EPSS

Процентиль: 98%

0.66148

Средний

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

NVD-CWE-noinfo

Связанные уязвимости

CVE-2022-29885

CVSS3: 7.5

ubuntu

около 3 лет назад

CVE-2022-29885

CVSS3: 3.7

redhat

около 3 лет назад

CVE-2022-29885

CVSS3: 7.5

debian

около 3 лет назад

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 ...

GHSA-r84p-88g2-2vx2

CVSS3: 7.5

github

около 3 лет назад

Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption

BDU:2022-03434

CVSS3: 7.5

fstec

около 3 лет назад

Уязвимость реализации класса EncryptInterceptor сервера приложений Apache Tomcat, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 98%

0.66148

Средний

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-400

NVD-CWE-noinfo