CVE-2022-29885

Public on

Last Modified: UTC

Description

The CVE Program describes this issue as:

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Statement

This flaw describes a mistake made in the documentation which overstated the protection provided by the clustering feature. As the impact is Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw is marked as will not fix for all Red Hat products. This may be fixed in a future release.

This flaw describes a mistake made in the documentation which overstated the protection provided by the clustering feature. As the impact is Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw is marked as will not fix for all Red Hat products. This may be fixed in a future release.

Mitigation

For customers who use clustering on an untrusted network and require full protection, an alternate solution is recommended such as using a VPN.

Additional information

  • Bugzilla 2093014: tomcat: EncryptInterceptor documentation mistake
  • CWE-1112: Incomplete Documentation of Program Execution
  • FAQ: Frequently asked questions about CVE-2022-29885

Common Vulnerability Scoring System (CVSS) Score Details

Important note

CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).

The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 Score Breakdown
Red HatNVD

CVSS v3 Base Score

3.7

7.5

Attack Vector

Network

Network

Attack Complexity

High

Low

Privileges Required

None

None

User Interaction

None

None

Scope

Unchanged

Unchanged

Confidentiality Impact

None

None

Integrity Impact

None

None

Availability Impact

Low

High

CVSS v3 Vector

Red Hat: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Red Hat CVSS v3 Score Explanation

Apache's announcement indicates the documentation was incorrect. It overstated the level of protection provided by a certain feature. It always helped mitigate Denial of Service attacks, but cannot eliminate the risk entirely. Therefore availability is rated Low. Attack complexity is rated low because Apache does not have a fundamental design problem that makes it susceptible to a DoS.

Apache's announcement indicates the documentation was incorrect. It overstated the level of protection provided by a certain feature. It always helped mitigate Denial of Service attacks, but cannot eliminate the risk entirely. Therefore availability is rated Low.

Attack complexity is rated low because Apache does not have a fundamental design problem that makes it susceptible to a DoS.

Understanding the Weakness (CWE)

CWE-1112

Frequently Asked Questions

Why is Red Hat's CVSS v3 score or Impact different from other vendors?

My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?

What can I do if my product is listed as "Will not fix"?

What can I do if my product is listed as "Fix deferred"?

What is a mitigation?

I have a Red Hat product but it is not in the above list, is it affected?

Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?

Want to get errata notifications? Sign up here.