1199508 – (CVE-2022-29885) VUL-1: CVE-2022-29885: tomcat,tomcat6: Documentation error can lead to DoS risks

Bug 1199508 (CVE-2022-29885) - VUL-1: CVE-2022-29885: tomcat,tomcat6: Documentation error can lead to DoS risks

Summary: VUL-1: CVE-2022-29885: tomcat,tomcat6: Documentation error can lead to DoS risks

Status:	RESOLVED WONTFIX

Alias:	CVE-2022-29885

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Abid Mehmood
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/331593/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-29885:3.7:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-05-13 08:34 UTC by Cathy Hu
Modified:	2022-08-08 10:14 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2022-05-13 08:34:42 UTC

CVE-2022-29885

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to
10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor
incorrectly stated it enabled Tomcat clustering to run over an untrusted
network. This was not correct. While the EncryptInterceptor does provide
confidentiality and integrity protection, it does not protect against all risks
associated with running over any untrusted network, particularly DoS risks.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885
http://www.cvedetails.com/cve/CVE-2022-29885/
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv

Comment 1 Cathy Hu 2022-05-13 08:35:11 UTC

Affected:
 - SUSE:SLE-12-SP4:Update/tomcat   9.0.36
 - SUSE:SLE-15-SP1:Update/tomcat   9.0.36
 - SUSE:SLE-15-SP2:Update/tomcat   9.0.36
 - SUSE:SLE-15:Update/tomcat       9.0.36
 - openSUSE:Factory/tomcat         9.0.43

Not affected:
 - SUSE:SLE-11:Update/tomcat6
 - SUSE:SLE-12-SP2:Update/tomcat   8.0.53

Comment 2 Cathy Hu 2022-05-13 08:36:11 UTC

As this is only a documentation error, we can close it as wontfix if you like. Just let me know what you think about it.

Comment 3 Cathy Hu 2022-08-08 10:14:43 UTC

Closing