The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 2158760] Affects: fedora-all [bug 2158759]
Commits: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45143
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Can someone please explain why this CVE is not being fixed for the Tomcat shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9?
Hi Ben, this had indeed fixed in tomcat shipped with RHEL8 and RHEL9, but it was an omission on our part because there was no tracker for it. We're rectifying this with https://issues.redhat.com/browse/RHEL-38548.
That's great news, thank you so much! Sadly I don't have permission to view that Jira issue. I'd appreciate knowing which RPMs (full package name) for RHEL 8 and RHEL 9 contain this fix, please.
For rhel8 the builds (which are pending to be released) are tomcat-9.0.87-1.el8_8.2 for 8.8.0.z and tomcat-9.0.87-1.el8_10.1 for 8.10.0.z. For RHEL9 the (released) build is tomcat-9.0.87-1.el9_4.1.
Again, that's wonderful, and very much appreciated. Those builds also patch CVE-2024-24549 and CVE-2024-23672, which is fantastic. If they also fix CVE-2022-45143 (this BZ) as you say I will be over the moon! Thank you so much. Will this be reflected on https://access.redhat.com/security/cve/CVE-2022-45143? I don't see any update for the fact that tomcat-9.0.87-1.el9_4.1 should have fixed CVE-2022-45143 in https://access.redhat.com/errata/RHSA-2024:3307. I guess the fact that it's Tomcat 9.0.87 means it's fixed by the rebase?
Exactly that, it's fixed by the rebase, hence not affected so I don't expect any changes in that page. I will follow up to fix any information that we've missed, but rest assured that the available builds of tomcat are *not* affected by this CVE :) It was a matter of improper tracking. The first RHEL8 build that fixed this issue was tomcat-9.0.62-5.el8_8.2 and for RHEL9 it was tomcat-9.0.62-11.el9_2.3 .