Miggo Logo

CVE-2022-29885: Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.98412%
Published
5/13/2022
Updated
3/11/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven>= 10.1.0-M1, < 10.1.0-M1510.1.0-M15
org.apache.tomcat:tomcatmaven>= 10.0.0-M1, < 10.0.2110.0.21
org.apache.tomcat:tomcatmaven>= 9.0.13, < 9.0.639.0.63
org.apache.tomcat:tomcatmaven>= 8.5.38, < 8.5.798.5.79

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2022-29885 stems from documentation inaccuracies rather than code flaws. The EncryptInterceptor itself was not inherently vulnerable; instead, the documentation incorrectly claimed it provided sufficient protection for untrusted networks. The patches (e.g., in changelog.xml, cluster-howto.xml) only updated documentation to clarify that EncryptInterceptor does not mitigate DoS risks. No code changes to the EncryptInterceptor or related functions were made in the provided commit diffs. Thus, there are no specific functions in the codebase identified as vulnerable—the issue lies in misleading documentation leading to insecure deployment decisions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *o*um*nt*tion o* *p**** Tom**t **.*.*-M* to **.*.*-M**, **.*.*-M* to **.*.**, *.*.** to *.*.** *n* *.*.** to *.*.** *or t** *n*ryptInt*r**ptor in*orr**tly st*t** it *n**l** Tom**t *lust*rin* to run ov*r *n untrust** n*twork. T*is w*s not *orr**t.

Reasoning

T** vuln*r**ility *V*-****-***** st*ms *rom *o*um*nt*tion in***ur**i*s r*t**r t**n *o** *l*ws. T** `*n*ryptInt*r**ptor` its*l* w*s not in**r*ntly vuln*r**l*; inst***, t** *o*um*nt*tion in*orr**tly *l*im** it provi*** su**i*i*nt prot**tion *or untrust