Asking Apache Tomcat Vulnerabilities(CVE-2022-25762)

[오현택 <gu...@naver.com>]

hello.

I Ask for CVE-2022-25762 Vulnerabilities.
 
In the described part, it seems that the vulnerability is determined
depending on whether or not Websocket is used.

Even if you are using an affected version of Tomcat, if you do not use
Websockets, we ask if you are not a target of the vulnerability. 
 
■ using tomcat version
- tomcat 8.5.31
 
 
thank you.

Asking Apache Tomcat Vulnerabilities(CVE-2022-25762)

[오현택 <gu...@naver.com>]

hello.

I Ask for CVE-2022-25762 Vulnerabilities.
 
In the described part, it seems that the vulnerability is determined
depending on whether or not Websocket is used.

Even if you are using an affected version of Tomcat, if you do not use
Websockets, we ask if you are not a target of the vulnerability. 
 
■ using tomcat version
- tomcat 8.5.31
 
 
thank you.

Re: Asking Apache Tomcat Vulnerabilities(CVE-2022-25762)

[Mark Thomas <ma...@apache.org>]

On 24/05/2022 02:56, 오현택 wrote:
> hello.
> 
> I Ask for CVE-2022-25762 Vulnerabilities.
>   
> In the described part, it seems that the vulnerability is determined
> depending on whether or not Websocket is used.
> 
> Even if you are using an affected version of Tomcat, if you do not use
> Websockets, we ask if you are not a target of the vulnerability.

As long as no web application deployed to an Apache Tomcat instance uses 
WebSockets then that Tomcat instance will not be affected by CVE-2022-25762.

If any web application deployed to an Apache Tomcat instance uses 
WebSockets than all web applications deployed to that Tomcat instance 
will be exposed to CVE-2022-25762.

> ■ using tomcat version
> - tomcat 8.5.31

That is quite old. I assume that you have confirmed that you aren't 
impacted by any of the other security issues announced since then.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org