Apache Tomcat vulnerability CVE-2022-42252 - Apache Tomcat Request Smuggling in DX NetOps Spectrum.
From Apache Tomcat 9 Configuration Reference
If an HTTP request is received that contains an illegal header name or value (e.g. the header name is not a token) this setting determines if the request will be rejected with a 400 response (true) or if the illegal header be ignored (false). The default value is true which will cause the request to be rejected.
As per the below links, the resolution is either upgrade Apache Tomcat, or do the mitigation by "Ensure rejectIllegalHeader is set to true":
Release : 21.2.x & 22.2.x
The attribute rejectIllegalHeader is set to true by default in Apache Tomcat 9.0.x, which is the version used by NetOps Spectrum.
This attribute was set to false by default only in Apache Tomcat 8.5.x - all the subsequent apache Tomcat versions has this value set to true by default.
Refer to https://nvd.nist.gov/vuln/detail/CVE-2022-42252
NetOps Spectrum and Apache Tomcat component mapping:
Spectrum 10.4.3 (20.2.7 - 20.2.9) -> Tomcat 9.0.41
Spectrum 10.4.3.1 (20.2.10) -> Tomcat 9.0.43
Spectrum 21.2.2 -> Tomcat 9.0.50
Spectrum 21.2.4 -> Tomcat 9.0.52
Spectrum 21.2.6 -> Tomcat 9.0.54
Spectrum 21.2.8 -> Tomcat 9.0.58
Spectrum 21.2.12 -> Tomcat 9.0.63
Spectrum 22.2.2 / 22.2.3 -> Tomcat 9.0.65
Spectrum 22.2.4 / 22.2.5 -> Tomcat 9.0.68