CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 was incorrect about Tomcat clustering over an untrusted network.

Due to the risk of denial-of-service, it is recommended that Tomcat be run at a distance from the untrusted network and also have fail-over enabled. Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 did not report a clear status after a stop and start of the server. A user could verify this by looking at the output of the show tomcat status command. There was an inaccurate description of the validity of SSL certificates when running Tomcat in a clustered setup at the start of the boot process. This was clarified to ensure the user of the documentation has a complete understanding of the validity of the SSL certificates.

HTTPS deployments of Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 did not work as expected. This was due to the change in the behavior of the http.cipherOrder value when running Tomcat on JRE 1.8 or later. Clients expected http.cipherOrder to be the same as http.sslCipherOrder when using HTTPS. There

Upgrade Notifications

Tomcat 10.1.0-M14 and later report the old behavior for http.cipherOrder, which was a change in behavior, so this is an upgrade notification.

Tomcat 9.0.x to 10.0.x nowiki

There was an inaccurate description of the validity of SSL certificates when running Tomcat in a clustered setup at the start of the boot process. This was clarified to ensure the user of the documentation has a complete understanding of the validity of the SSL certificates.

Tomcat 8.5.38 to 8.5.78

Tomcat 8.5.38 to 8.5.78 included a fix for CVE-2016-8735, which was incorrectly handling certain cases of TLS client authentication. When running Tomcat on JRE 8 or later, the fix for CVE-2016-8735 caused Tomcat to be unable to negotiate TLS connections with nss3 libraries in versions 3.19, 3.28 and 3.29 of NSS before version 3.30 due to the behavior change in the http.cipherOrder option when running Tomcat on JRE8 or later as mentioned above.

In order to work around this issue, it is recommended that an upgrade to nss3 libraries if possible be applied first before proceeding with any deployment of Tomcat 8.5.38 to 8.5.78 using HTTPS.

Timeline

Published on: 05/12/2022 08:15:00 UTC
Last modified on: 07/25/2022 18:22:00 UTC

References

• https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
• https://security.netapp.com/advisory/ntap-20220629-0002/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29885