search cancel

Broadcom API Gateway 10.1 : CVE-2022-45143 Apache Tomcat Vulnerabilities

book

Article ID: 257540

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

CVE-2022-45143 : The JsonErrorReportValve class in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. 
In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-45143

Environment

Release : 10.1

Cause

CVE-2022-45143 is a security vulnerability that affects certain versions of the Apache Tomcat Servlet Container. 
The vulnerability is related to the way the 'JsonErrorReportValve' class in the Tomcat container processes JSON data.
An attacker could exploit this vulnerability by sending a specially crafted JSON request to a vulnerable Tomcat server. 
This could allow the attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the system.

Resolution

Broadcom API Gateway 10.1 uses Apache Tomcat version 9.0.62, which was reported to be a release affected by this vulnerability.
However API Gateway product is NOT affected because it does not make use of the 'JsonErrorReportValve' class. 
This means that the vulnerability cannot be exploited against API Gateway 10.1.