CVE-2022-29885
Publication date 12 May 2022
Last updated 2 August 2024
Ubuntu priority
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tomcat8 | 18.04 LTS bionic |
Fixed 8.5.39-1ubuntu1~18.04.3+esm2
|
| 16.04 LTS xenial |
Not affected
|
|
| tomcat9 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 9.0.58-1ubuntu0.1+esm2
|
|
| 20.04 LTS focal |
Fixed 9.0.31-1ubuntu0.6
|
|
| 18.04 LTS bionic |
Fixed 9.0.16-3ubuntu0.18.04.2+esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6943-1
- Tomcat vulnerabilities
- 1 August 2024