EncryptInterceptor does not provide complete protection on insecure networks
CVE-2022-29885

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Tomcat
Vendor
CVE Published:
12 May 2022

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Affected Version(s)

Apache Tomcat Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14

Apache Tomcat Apache Tomcat 10 10.0.0-M1 to 10.0.20

Apache Tomcat Apache Tomcat 9 9.0.13 to 9.0.62

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-29885
Created by quynhlab

CVE-2022-29885
Created by iveresk

References

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03...
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.netapp.com/advisory/ntap-20220629-0002/

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was reported to the Apache Tomcat Security team by 4ra1n.
.