Bugzilla – Bug 1199516
VUL-0: CVE-2022-25762: tomcat,tomcat6: request mixup
Last modified: 2022-05-13 12:40:15 UTC
rh#2085304 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. Upstream fix: https://github.com/apache/tomcat/commit/01f2cf25b270a84d0daeefc4f215aa2f56e1df99 References: https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.76 https://bugzilla.redhat.com/show_bug.cgi?id=2085304 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25762
Not affected/already fixed: SUSE:SLE-12-SP4:Update /tomcat SUSE:SLE-15:Update/tomcat SUSE:SLE-15-SP1:Update/tomcat SUSE:SLE-15-SP2:Update /tomcat I think SUSE:SLE-12-SP2:Update/tomcat and SUSE:SLE-11:Update/tomcat6 are affected, but I am not sure.