CVE-2022-29885 vulnerability in Apache and Other Products
Published on May 12, 2022

EncryptInterceptor does not provide complete protection on insecure networks

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Vendor Advisory NVD

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2022-29885 has been classified to as a Resource Exhaustion vulnerability or weakness.

Products Associated with CVE-2022-29885

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-29885 are published in these products:

Apache Tomcat

Debian Linux

Oracle Hospitality Cruise Shipboard Property Management System

Canonical Ubuntu Linux

Affected Versions

Apache Software Foundation Apache Tomcat:

Version Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14 is affected.
Version Apache Tomcat 10 10.0.0-M1 to 10.0.20 is affected.
Version Apache Tomcat 9 9.0.13 to 9.0.62 is affected.
Version Apache Tomcat 8.5 8.5.38 to 8.5.78 is affected.

Exploit Probability

EPSS

60.11%

Percentile

98.22%