You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "DeHaven, Jacob" <ja...@fema.dhs.gov.INVALID> on 2022/05/31 15:17:44 UTC
Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 vulnerability question
In regards, to the Low: Apache Tomcat EncryptInterceptor DoS http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885 which is fixed in Apache Tomcat 9.0.63, it is being reporting as a Low vulnerability on the Apache Tomcat website but others (NIST, Tenable) are reporting this vulnerability as High as seen below. Could someone please elaborate on this and which one is correct?
NIST:
https://nvd.nist.gov/vuln/detail/CVE-2022-29885
Base Score: 7.5 HIGH
Tenable:
https://www.tenable.com/cve/CVE-2022-29885
Severity: HIGH
Our setup:
Apache Tomcat version: 9.0.58
OS: MS Windows Server 2019
Configured within Cognos ReportNet
Thanks,
Jacob DeHaven
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 vulnerability question
Posted by Mark Thomas <ma...@apache.org>.
On 31/05/2022 16:17, DeHaven, Jacob wrote:
> In regards, to the Low: Apache Tomcat EncryptInterceptor DoS http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885 which is fixed in Apache Tomcat 9.0.63, it is being reporting as a Low vulnerability on the Apache Tomcat website but others (NIST, Tenable) are reporting this vulnerability as High as seen below. Could someone please elaborate on this and which one is correct?
CVSS scores are highly subjective which is why the Apache Tomcat project
doesn't use them.
The Apache Tomcat project has no view on whether the quoted CVSS scores
are "correct" or not. If other folks want to argue over them they are
free to do so. We don't have an opinion and won't be getting involved.
The Apache Tomcat project rates vulnerabilities based on this scale:
https://tomcat.apache.org/security-impact.html
To be impacted by CVE-2022-29885 an installation needs to be:
a) using Tomcat's clustering
b) running the clustering over a network accessible to untrusted actors
c) using the EncryptInterceptor
d) expecting c) to be providing full protection for the risks associated
with b)
The above requirements, particularly b), were viewed as sufficiently
unlikely as to merit a rating of Low.
I'll note that any claim that Tomcat needs to be upgraded to address
this vulnerability is complete and utter nonsense. The "fix" was to
change the documentation to clarify the limitations of the
EncryptInterceptor.
If all of the requirements above apply then the recommendation would be
to switch to a trusted network, e.g. by implementing IPSec for the
clustering traffic.
Mark
>
> NIST:
> https://nvd.nist.gov/vuln/detail/CVE-2022-29885
> Base Score: 7.5 HIGH
>
> Tenable:
> https://www.tenable.com/cve/CVE-2022-29885
> Severity: HIGH
>
> Our setup:
> Apache Tomcat version: 9.0.58
> OS: MS Windows Server 2019
> Configured within Cognos ReportNet
>
> Thanks,
> Jacob DeHaven
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 vulnerability question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jacob,
On 5/31/22 11:17, DeHaven, Jacob wrote:
> In regards, to the Low: Apache Tomcat EncryptInterceptor DoS
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885 which is
> fixed in Apache Tomcat 9.0.63, it is being reporting as a Low
> vulnerability on the Apache Tomcat website but others (NIST, Tenable)
> are reporting this vulnerability as High as seen below. Could someone
> please elaborate on this and which one is correct? >
> NIST:
> https://nvd.nist.gov/vuln/detail/CVE-2022-29885
> Base Score: 7.5 HIGH
>
> Tenable:
> https://www.tenable.com/cve/CVE-2022-29885
> Severity: HIGH
(For completeness)
Tomcat:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.63
Severity: LOW
The severity of any vulnerability is a matter of subjective opinion.
Speaking for myself (a member of the Apache Tomcat Security Team, but
not making any official statement, here), any vulnerability always must
be considered under the following criteria:
1. Complexity (aka ease-of-attack)
2. Probability (aka likelihood of attack)
3. Impact (aka the Bad Stuff[1])
For my part, I would rate CVE-2022-29885 the following way:
1. Complexity: LOW (meaning HIGH severity)
This is an easy attack to perform if you know what you are doing.
2. Probability: LOW (meaning LOW severity)
This is a difficult attack to perform, because it requires that the
target first be running Tomcat as a cluster (which is somewhat rare in
and of itself), and the attacker must be able to access the target's
network being used for that clustering. Those two prerequisites alone
might reduce the overall severity for me to "very low".
3. Impact: MEDIUM (meaning MEDIUM severity)
This is a DOS and thus a breach of availability, not a breach of
security or privacy.
Again, speaking for myself, I would rate this LOW due mostly to the low
Probability rating of this vulnerability.
It's worth pointing out a few more things IMO:
1. While this is being reported as a vulnerability in the
EncryptIntercepter, it's actually a vulnerability in the Tomcat
clustering itself which the EncryptInterceptor fails to mitigate while
implying that it does. (The original claim was that the
EncryptInterceptor allowed Tomcat to be clustered over an untrusted
network. While this is true, it only provides integrity and privacy
guarantees while not providing protection against DOS.)
2. The "fix" was to /adjust the documentation/ to make it clear that the
EncryptInterceptor isn't sufficient protection to run Tomcat's
clustering over a truly untrusted network. So upgrading to the "fixed"
version provides exactly no "protection" whatsoever from the possible
DOS mentioned in CVE-2022-29885.
3. Any software which uses version numbers to report vulnerabilities
instead executing actual testing for those vulnerabilities is
necessarily going to report a lot of false positives. For example, if
you aren't using Tomcat's clustering, then you were never in any danger
of being susceptible to CVE-2022-29885. Likewise, if you are using
Tomcat clustering but you are using a secured network, then you are also
not susceptible to CVE-2022-29885.
4. It's always a good idea to be running the latest version of the
software you rely on to meet your requirements. Unless there is a
significant reason to stay on your older 9.0.58 version, upgrading to
9.0.63 is just a good idea in general.
5. As you are under the umbrella of US-DHS, you must meet whatever
expectations and requirements DHS, CISA, and any other government
agencies which affect your security policies. I haven't met an agency
yet that doesn't understand that vulnerabilities can be mitigated
without upgrading to a "fixed" version: you should be able to explain
that you don't use the vulnerable component (if it's true, of course),
an attacker can't force the sudden use of the component (not without
having compromised your environment already, in which case
CVE-2022-29885 is the least of your worries), and therefore your
"vulnerable" version is in fact /not/ vulnerable.
Hope that helps,
-chris
[1] https://en.wikipedia.org/wiki/Munchkin_(card_game)#Gameplay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org