CVE-2022-29885
Public on
Last Modified:
Description
The CVE Program describes this issue as:
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Statement
This flaw describes a mistake made in the documentation which overstated the protection provided by the clustering feature. As the impact is Low and a patch would not directly improve the security posture of Apache Tomcat, this flaw is marked as will not fix for all Red Hat products. This may be fixed in a future release.
Mitigation
For customers who use clustering on an untrusted network and require full protection, an alternate solution is recommended such as using a VPN.
Additional information
- Bugzilla 2093014: tomcat: EncryptInterceptor documentation mistake
- CWE-1112: Incomplete Documentation of Program Execution
- FAQ: Frequently asked questions about CVE-2022-29885
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
The following CVSS metrics and score provided are preliminary and subject to review.
Red Hat | NVD | |
---|---|---|
CVSS v3 Base Score | 3.7 | 7.5 |
Attack Vector | Network | Network |
Attack Complexity | High | Low |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | None | None |
Integrity Impact | None | None |
Availability Impact | Low | High |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
NVD: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat CVSS v3 Score Explanation
Apache's announcement indicates the documentation was incorrect. It overstated the level of protection provided by a certain feature. It always helped mitigate Denial of Service attacks, but cannot eliminate the risk entirely. Therefore availability is rated Low.
Attack complexity is rated low because Apache does not have a fundamental design problem that makes it susceptible to a DoS.
Understanding the Weakness (CWE)
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.