Resource exhaustion in Apache Software Foundation Tomcat
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was n…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.555 (98.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Tomcat — versions Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14, Apache Tomcat 10 10.0.0-M1 to 10.0.20, Apache Tomcat 9 9.0.13 to 9.0.62
Weakness classification (CWE)
Public proof-of-concept exploits
References
- lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
- www.oracle.com/security-alerts/cpujul2022.html
- security.netapp.com/advisory/ntap-20220629-0002/
- [debian-lts-announce] 20221026 [SECURITY] [DLA 3160-1] tomcat9 security update (mailing-list)
- DSA-5265 (vendor-advisory)
- packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
Frequently asked questions
- What is CVE-2022-29885?
- CVE-2022-29885 is a vulnerability in Apache Software Foundation Tomcat, classified under Uncontrolled Resource Consumption. Published 2022-05-12.
- Is CVE-2022-29885 known to be exploited?
- 27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.