CVE-2022-29885

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 10.1.0-M1 through 10.1.0-M14 Apache Tomcat versions 10.0.0-M1 through 10.0.20 Apache Tomcat versions 9.0.13 through 9.0.62 Apache Tomcat versions 8.5.38 through 8.5.78

Description The issue is related to the EncryptInterceptor in Apache Tomcat, which was incorrectly documented as enabling Tomcat clustering to run over an untrusted network. Although the EncryptInterceptor provides confidentiality and integrity protection, it does not protect against all risks associated with running over an untrusted network, particularly denial-of-service (DoS) risks. This could allow a remote attacker to cause a denial of service.

Recommendations For Apache Tomcat versions 10.1.0-M1 through 10.1.0-M14, update the documentation to reflect the correct capabilities of the EncryptInterceptor. For Apache Tomcat versions 10.0.0-M1 through 10.0.20, update the documentation to reflect the correct capabilities of the EncryptInterceptor. For Apache Tomcat versions 9.0.13 through 9.0.62, update the documentation to reflect the correct capabilities of the EncryptInterceptor. For Apache Tomcat versions 8.5.38 through 8.5.78, update the documentation to reflect the correct capabilities of the EncryptInterceptor. As a temporary workaround, consider restricting access to the EncryptInterceptor to minimize the risk of exploitation.