Bug 2158695 (CVE-2022-45143) - CVE-2022-45143 tomcat: JsonErrorReportValve injection
Summary: CVE-2022-45143 tomcat: JsonErrorReportValve injection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-45143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2158760 2158759 2158762 2159688 2173837 2173838
Blocks: 2158001
TreeView+ depends on / blocked
 
Reported: 2023-01-06 05:56 UTC by TEJ RATHI
Modified: 2023-10-25 11:04 UTC (History)
67 users (show)

Fixed In Version: tomcat 10.1.2, tomcat 9.0.69, tomcat 8.5.84
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.
Clone Of:
Environment:
Last Closed: 2023-04-12 18:41:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1663 0 None None None 2023-04-12 12:27:51 UTC
Red Hat Product Errata RHSA-2023:1664 0 None None None 2023-04-12 12:49:25 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:08:14 UTC
Red Hat Product Errata RHSA-2023:4612 0 None None None 2023-08-16 10:56:11 UTC

Description TEJ RATHI 2023-01-06 05:56:10 UTC 
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Comment 1 TEJ RATHI 2023-01-06 13:46:14 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2158760]
Affects: fedora-all [bug 2158759]
Comment 3 TEJ RATHI 2023-01-06 13:56:43 UTC 
Commits:
https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e 
https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
Comment 8 errata-xmlrpc 2023-04-12 12:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
Comment 9 errata-xmlrpc 2023-04-12 12:49:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
Comment 10 Product Security DevOps Team 2023-04-12 18:40:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45143
Comment 11 errata-xmlrpc 2023-06-29 20:08:10 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 12 errata-xmlrpc 2023-08-16 10:56:05 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
Comment 13 Ben 2023-10-12 09:53:16 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 14 Ben 2023-10-12 09:53:40 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Note You need to log in before you can comment on or make changes to this bug.