CVE-2022-29885 Apache Tomcat EncryptInterceptor
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M14
Apache Tomcat 10.0.0-M1 to 10.0.20
Apache Tomcat 9.0.13 to 9.0.62
Apache Tomcat 8.5.38 to 8.5.78
Description:
The documentation for the EncryptInterceptor incorrectly stated it
enabled Tomcat clustering to run over an untrusted network. This was not
correct. While the EncryptInterceptor does provide confidentiality and
integrity protection, it does not protect against all risks associated
with running over any untrusted network, particularly DoS risks.
Mitigation:
Users running clustering over an untrusted network who require full
protection should switch to an alternative solution such as running the
clustering communication over a VPN.
History:
2022-05-10 Original advisory
Credit:
This issue was reported to the Apache Tomcat Security team by 4ra1n.
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
