Skip to main content

Apache Releases Security Updates for Apache Tomcat

Apache releases security updates to fix a DoS vulnerability and a request mix-up vulnerability in Apache Tomcat

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Apache releases security updates to fix a DoS vulnerability and a request mix-up vulnerability in Apache Tomcat


Threat details

Introduction

The Apache Software Foundation has released security updates to address two vulnerabilities in Apache Tomcat. The first vulnerability relates to EncryptInterceptor running over an untrusted network, which could create a denial of service (DOS) condition. The second vulnerability concerns an improper resource shutdown or release, in which the resulting request mix-up could allow data to be returned to the wrong use and/or other errors.  An attacker could exploit these vulnerabilities to take control of a system.


Remediation advice

Affected organisations are encouraged to review the relevant Apache Tomcat security advisory below and follow the appropriate remediation step to apply the necessary updates.


Remediation steps

Type Step
Guidance

Apache Tomcat EncryptInterceptor DoS (CVE-2022-29885)
Apache Tomcat 10.1.0-M1 to 10.1.0-M14 should update to Apache Tomcat 10.1.0-M15 or later


https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.0-M15
Guidance

Apache Tomcat EncryptInterceptor DoS (CVE-2022-29885)
Apache Tomcat 10.0.0-M1 to 10.0.20 should update to Apache Tomcat 10.0.21 or later


https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.21
Guidance

Apache Tomcat EncryptInterceptor DoS (CVE-2022-29885)
Apache Tomcat 9.0.13 to 9.0.62 should update to Apache Tomcat 9.0.63 or later


https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.63
Guidance

Apache Tomcat EncryptInterceptor DoS (CVE-2022-29885)
Apache Tomcat 8.5.38 to 8.5.78 should update to Apache Tomcat 8.5.79 or later


https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.79
Guidance

Request mix-up CVE-2022-25762
Apache Tomcat 9.0.0 - 9.0.20 should update to Apache Tomcat 9.0.21 or later


https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.21
Guidance

Request mix-up CVE-2022-25762
Apache Tomcat 8.5.0 - 8.5.75 should update to Apache Tomcat 8.5.76 or later


https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.76


Last edited: 18 May 2022 3:56 pm