You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jerry Lampi <ja...@sdsusa.com> on 2022/12/06 19:07:59 UTC

Tomcat 9 and CVE-2022-42920 (bcel vulnerability)

Hi all.  We use Tomcat 9.0.63 and are wondering if it's vulnerable to CVE-2022-42920?
I don't see any bcel jar files, like bcel-6.0.jar, but when I scanned all jars for bcel, I found the following 22 classes with bcel in their package name in tomcat-coyote.jar:
org/apache/tomcat/util/bcel/Const.class
org/apache/tomcat/util/bcel/classfile/AnnotationElementValue.class
org/apache/tomcat/util/bcel/classfile/AnnotationEntry.class
org/apache/tomcat/util/bcel/classfile/Annotations.class
org/apache/tomcat/util/bcel/classfile/ArrayElementValue.class
org/apache/tomcat/util/bcel/classfile/ClassElementValue.class
org/apache/tomcat/util/bcel/classfile/ClassFormatException.class
org/apache/tomcat/util/bcel/classfile/ClassParser.class
org/apache/tomcat/util/bcel/classfile/Constant.class
org/apache/tomcat/util/bcel/classfile/ConstantClass.class
org/apache/tomcat/util/bcel/classfile/ConstantDouble.class
org/apache/tomcat/util/bcel/classfile/ConstantFloat.class
org/apache/tomcat/util/bcel/classfile/ConstantInteger.class
org/apache/tomcat/util/bcel/classfile/ConstantLong.class
org/apache/tomcat/util/bcel/classfile/ConstantPool.class
org/apache/tomcat/util/bcel/classfile/ConstantUtf8.class
org/apache/tomcat/util/bcel/classfile/ElementValue.class
org/apache/tomcat/util/bcel/classfile/ElementValuePair.class
org/apache/tomcat/util/bcel/classfile/EnumElementValue.class
org/apache/tomcat/util/bcel/classfile/JavaClass.class
org/apache/tomcat/util/bcel/classfile/SimpleElementValue.class
org/apache/tomcat/util/bcel/classfile/Utility.class

Are these classes implicated in CVE-2022-42920?  Does Tomcat 9 need to be updated?
Thank you in advance,
Jerry

Re: Tomcat 9 and CVE-2022-42920 (bcel vulnerability)

Posted by Mark Thomas <ma...@apache.org>.

On 06/12/2022 19:07, Jerry Lampi wrote:
> Hi all.  We use Tomcat 9.0.63 and are wondering if it's vulnerable to CVE-2022-42920?

Tomcat is not exposed to this vulnerability.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org