Jacob,
On 5/31/22 11:17, DeHaven, Jacob wrote:
In regards, to the Low: Apache Tomcat EncryptInterceptor DoS
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885 which is
fixed in Apache Tomcat 9.0.63, it is being reporting as a Low
vulnerability on the Apache Tomcat website but others (NIST, Tenable)
are reporting this vulnerability as High as seen below. Could someone
please elaborate on this and which one is correct? >
> NIST:
> https://nvd.nist.gov/vuln/detail/CVE-2022-29885
> Base Score: 7.5 HIGH
>
> Tenable:
> https://www.tenable.com/cve/CVE-2022-29885
> Severity: HIGH
(For completeness)
Tomcat:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.63
Severity: LOW
The severity of any vulnerability is a matter of subjective opinion.
Speaking for myself (a member of the Apache Tomcat Security Team, but
not making any official statement, here), any vulnerability always must
be considered under the following criteria:
1. Complexity (aka ease-of-attack)
2. Probability (aka likelihood of attack)
3. Impact (aka the Bad Stuff[1])
For my part, I would rate CVE-2022-29885 the following way:
1. Complexity: LOW (meaning HIGH severity)
This is an easy attack to perform if you know what you are doing.
2. Probability: LOW (meaning LOW severity)
This is a difficult attack to perform, because it requires that the
target first be running Tomcat as a cluster (which is somewhat rare in
and of itself), and the attacker must be able to access the target's
network being used for that clustering. Those two prerequisites alone
might reduce the overall severity for me to "very low".
3. Impact: MEDIUM (meaning MEDIUM severity)
This is a DOS and thus a breach of availability, not a breach of
security or privacy.
Again, speaking for myself, I would rate this LOW due mostly to the low
Probability rating of this vulnerability.
It's worth pointing out a few more things IMO:
1. While this is being reported as a vulnerability in the
EncryptIntercepter, it's actually a vulnerability in the Tomcat
clustering itself which the EncryptInterceptor fails to mitigate while
implying that it does. (The original claim was that the
EncryptInterceptor allowed Tomcat to be clustered over an untrusted
network. While this is true, it only provides integrity and privacy
guarantees while not providing protection against DOS.)
2. The "fix" was to /adjust the documentation/ to make it clear that the
EncryptInterceptor isn't sufficient protection to run Tomcat's
clustering over a truly untrusted network. So upgrading to the "fixed"
version provides exactly no "protection" whatsoever from the possible
DOS mentioned in CVE-2022-29885.
3. Any software which uses version numbers to report vulnerabilities
instead executing actual testing for those vulnerabilities is
necessarily going to report a lot of false positives. For example, if
you aren't using Tomcat's clustering, then you were never in any danger
of being susceptible to CVE-2022-29885. Likewise, if you are using
Tomcat clustering but you are using a secured network, then you are also
not susceptible to CVE-2022-29885.
4. It's always a good idea to be running the latest version of the
software you rely on to meet your requirements. Unless there is a
significant reason to stay on your older 9.0.58 version, upgrading to
9.0.63 is just a good idea in general.
5. As you are under the umbrella of US-DHS, you must meet whatever
expectations and requirements DHS, CISA, and any other government
agencies which affect your security policies. I haven't met an agency
yet that doesn't understand that vulnerabilities can be mitigated
without upgrading to a "fixed" version: you should be able to explain
that you don't use the vulnerable component (if it's true, of course),
an attacker can't force the sudden use of the component (not without
having compromised your environment already, in which case
CVE-2022-29885 is the least of your worries), and therefore your
"vulnerable" version is in fact /not/ vulnerable.
Hope that helps,
-chris
[1] https://en.wikipedia.org/wiki/Munchkin_(card_game)#Gameplay
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org