Bug 2158695 (CVE-2022-45143)

Summary: CVE-2022-45143 tomcat: JsonErrorReportValve injection
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, ben.argyle, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, cmoulliard, csutherl, darran.lofthouse, dkreling, dosoudil, emingora, fjuma, fmongiar, gjospin, gmalinko, huwang, ibek, ikanello, ivassile, iweiss, janstey, jclere, jnethert, jpavlik, jpoth, jrokos, jstastny, jwon, kverlaen, kyoshida, lgao, lthon, mmadzin, mnovotny, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, pskopek, rguimara, rhcs-maint, rrajasek, rruss, rstancel, saydas, smaestri, sthorger, suwu, szappis, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 10.1.2, tomcat 9.0.69, tomcat 8.5.84 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-12 18:41:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2158759, 2158760, 2158762, 2159688, 2173837, 2173838    
Bug Blocks: 2158001    

Description TEJ RATHI 2023-01-06 05:56:10 UTC 
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Comment 1 TEJ RATHI 2023-01-06 13:46:14 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2158760]
Affects: fedora-all [bug 2158759]
Comment 3 TEJ RATHI 2023-01-06 13:56:43 UTC 
Commits:
https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e 
https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
Comment 8 errata-xmlrpc 2023-04-12 12:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
Comment 9 errata-xmlrpc 2023-04-12 12:49:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
Comment 10 Product Security DevOps Team 2023-04-12 18:40:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45143
Comment 11 errata-xmlrpc 2023-06-29 20:08:10 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Comment 12 errata-xmlrpc 2023-08-16 10:56:05 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
Comment 13 Ben 2023-10-12 09:53:16 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 14 Ben 2023-10-12 09:53:40 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 15 Ben 2024-05-31 15:40:56 UTC 
Can someone please explain why this CVE is not being fixed for the Tomcat shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9?
Comment 16 Socrates Zappis 2024-06-05 08:17:52 UTC 
Hi Ben, this had indeed fixed in tomcat shipped with RHEL8 and RHEL9, but it was an omission on our part because there was no tracker for it. We're rectifying this with https://issues.redhat.com/browse/RHEL-38548.
Comment 17 Ben 2024-06-05 09:46:55 UTC 
That's great news, thank you so much!  Sadly I don't have permission to view that Jira issue.  I'd appreciate knowing which RPMs (full package name) for RHEL 8 and RHEL 9 contain this fix, please.
Comment 18 Socrates Zappis 2024-06-05 13:23:44 UTC 
For rhel8 the builds (which are pending to be released) are tomcat-9.0.87-1.el8_8.2 for 8.8.0.z and tomcat-9.0.87-1.el8_10.1 for 8.10.0.z. For RHEL9 the (released) build is tomcat-9.0.87-1.el9_4.1.
Comment 19 Ben 2024-06-05 13:44:53 UTC 
Again, that's wonderful, and very much appreciated.  Those builds also patch CVE-2024-24549 and CVE-2024-23672, which is fantastic.  If they also fix CVE-2022-45143 (this BZ) as you say I will be over the moon!  Thank you so much.  Will this be reflected on https://access.redhat.com/security/cve/CVE-2022-45143?  I don't see any update for the fact that tomcat-9.0.87-1.el9_4.1 should have fixed CVE-2022-45143 in https://access.redhat.com/errata/RHSA-2024:3307.  I guess the fact that it's Tomcat 9.0.87 means it's fixed by the rebase?
Comment 20 Socrates Zappis 2024-06-05 14:38:57 UTC 
Exactly that, it's fixed by the rebase, hence not affected so I don't expect any changes in that page. I will follow up to fix any information that we've missed, but rest assured that the available builds of tomcat are *not* affected by this CVE :) It was a matter of improper tracking. The first RHEL8 build that fixed this issue was tomcat-9.0.62-5.el8_8.2 and for RHEL9 it was tomcat-9.0.62-11.el9_2.3 .