search cancel

Spectrum CABI Jaspersoft Tomcat Vulnerability CVE-2022-29885

book

Article ID: 254635

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

We have detected vulnerabilities on Tomcat for Jaspersoft .  Please review and let me know remediation.

 

Threat

Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

Apache Tomcat have the documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks

Affected Versions:
Apache Tomcat 10.1.0-M1 to 10.1.0-M14
Apache Tomcat 10.0.0-M1 to 10.0.20
Apache Tomcat 9.0.13 to 9.0.62
Apache Tomcat 8.5.38 to 8.5.78

QID Detection Logic (Unauthenticated):
The QID checks for vulnerable version by sending a GET /QUALYS730242 HTTP/1.0 request which helps in retrieving the installed version of Apache Tomcat in the banner of the response.

Remediation notes

Upgrade to the Apache Tomcat to the latest version of Apache Tomcat. Please refer to Apache Tomcat Security Advisory.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CVE-2022-29885

 

CA Bussines intelligence version 7.9.1

Environment

Release : 22.2

Cause

Vulnerability

Resolution

You would need to install Jasper 7.9.2 which is supported with NetOps release 22.2.1 and above:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/22-2/release-information/Features-and-Enhancements-2222.html

Support for CA Business Intelligence 7.9.2
This release supports CA Business Intelligence (CABI) 7.9.2. The CABI 7.9.2 version includes the following enhancements:
Apache Tomcat is now upgraded to the 8.5.81 version.
OpenJDK is now upgraded to the 1.8.0_332-b09 version.