Описание
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Отчет
This flaw describes a mistake made in the documentation which overstated the protection provided by the clustering feature. As the impact is Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw is marked as will not fix for all Red Hat products. This may be fixed in a future release.
Меры по смягчению последствий
For customers who use clustering on an untrusted network and require full protection, an alternate solution is recommended such as using a VPN.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | tomcat | Will not fix | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Will not fix | ||
| Red Hat Enterprise Linux 7 | tomcat | Will not fix | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Will not fix | ||
| Red Hat Fuse 7 | tomcat | Will not fix | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Will not fix | ||
| Red Hat JBoss Fuse 6 | tomcat | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 ...
Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption
Уязвимость реализации класса EncryptInterceptor сервера приложений Apache Tomcat, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
3.7 Low
CVSS3