CVE-2022-29885

high-risk
Published 2022-05-12

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Do I need to act?

!
55.5% chance of exploitation in next 30 days
EPSS score — higher than 44% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
51262
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (18)

Hospitality Cruise Shipboard Property Management System

Affected Vendors

Debian Apache Oracle

References (12)

http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service...
Mailing List https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20220629-0002/
Third Party Advisory https://www.debian.org/security/2022/dsa-5265
Patch https://www.oracle.com/security-alerts/cpujul2022.html
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service...
Mailing List https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20220629-0002/
Third Party Advisory https://www.debian.org/security/2022/dsa-5265
Patch https://www.oracle.com/security-alerts/cpujul2022.html
63
/ 100
high-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 19/34 · Moderate