返回
-
标题
Apache Tomcat Vulnerabilities: CVE-2022-29885, CVE-2022-42252 -
说明
Two vulnerabilities for Tomcat found in security scan:
Apache Tomcat: Low: Apache Tomcat EncryptInterceptor DoS (CVE-2022-29885) - Vulnerable software installed: Apache Tomcat 9.0.55 ([FMS_HOME]/server/tomcat/lib/catalina.jar)
Apache Tomcat: Low: Apache Tomcat request smuggling (CVE-2022-42252) - Vulnerable software installed: Apache Tomcat 9.0.55 ([FMS_HOME]/server/tomcat/lib/catalina.jar)
What are the effects of these vulnerabilities on Foglight? -
原因
https://nvd.nist.gov/vuln/detail/CVE-2022-29885
https://nvd.nist.gov/vuln/detail/CVE-2022-42252
-
解决办法
CVE-2022-29885 is for the environments using Tomcat clustering. Foglight does not use Tomcat clustering; therefore it is not affected.
CVE-2022-42252 applies if Tomcat is configured to ignore invalid HTTP headers by setting rejectIllegalHeader to false. Foglight has rejectIllegalHeader as true which is the default value in Tomcat 9; therefore, Foglight is not affected.
STATUS
Apache Tomcat has been upgraded to version 9.0.68 beginning in Foglight 6.3.0 -
缺陷ID
FOG-3797