You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/05/10 17:08:00 UTC

[SECURITY] CVE-2022-29885 Apache Tomcat EncryptInterceptor DoS

CVE-2022-29885 Apache Tomcat EncryptInterceptor

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M14
Apache Tomcat 10.0.0-M1 to 10.0.20
Apache Tomcat 9.0.13 to 9.0.62
Apache Tomcat 8.5.38 to 8.5.78

Description:
The documentation for the EncryptInterceptor incorrectly stated it 
enabled Tomcat clustering to run over an untrusted network. This was not 
correct. While the EncryptInterceptor does provide confidentiality and 
integrity protection, it does not protect against all risks associated 
with running over any untrusted network, particularly DoS risks.

Mitigation:
Users running clustering over an untrusted network who require full 
protection should switch to an alternative solution such as running the 
clustering communication over a VPN.

History:
2022-05-10 Original advisory

Credit:
This issue was reported to the Apache Tomcat Security team by 4ra1n.

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org