UBUNTU-CVE-2022-29885
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 12 May 2022, 08:15
Last modified:01 Jun 2026, 17:15
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
12 May 2022, 08:15
Published
Vulnerability first disclosed
01 Jun 2026, 17:15
Last Modified
Vulnerability information updated
Description
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- ubuntu•tomcat10
all | all | all
- ubuntu•tomcat6
all | all
- ubuntu•tomcat7
all
- ubuntu•tomcat8
< 8.5.39-1ubuntu1~18.04.3+esm2
- ubuntu•tomcat9
< 9.0.16-3ubuntu0.18.04.2+esm2 | < 9.0.31-1ubuntu0.6 | < 9.0.58-1ubuntu0.1+esm2
References (6)
- https://ubuntu.com/security/CVE-2022-29885
- https://github.com/apache/tomcat/commit/eaafd28296c54d983e28a47953c1f5cb2c334f48
- https://github.com/apache/tomcat/commit/b679bc627f5a4ea6510af95adfb7476b07eba890
- https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
- https://www.cve.org/CVERecord?id=CVE-2022-29885
- https://ubuntu.com/security/notices/USN-6943-1