Bug 2158695 (CVE-2022-45143)
| Summary: | CVE-2022-45143 tomcat: JsonErrorReportValve injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, ben.argyle, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmoulliard, csutherl, darran.lofthouse, dkreling, dosoudil, emingora, fjuma, fmongiar, gjospin, gmalinko, huwang, ibek, ikanello, ivassile, iweiss, janstey, jclere, jnethert, jpavlik, jpoth, jrokos, jstastny, jwon, kverlaen, kyoshida, lgao, lthon, mmadzin, mnovotny, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, pskopek, rguimara, rhcs-maint, rrajasek, rruss, rstancel, saydas, smaestri, sthorger, suwu, szappis, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 10.1.2, tomcat 9.0.69, tomcat 8.5.84 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-04-12 18:41:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2158760, 2158759, 2158762, 2159688, 2173837, 2173838 | ||
| Bug Blocks: | 2158001 | ||
|
Description
TEJ RATHI
2023-01-06 05:56:10 UTC
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 2158760] Affects: fedora-all [bug 2158759] Commits: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45143 This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612 This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9). This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9). |