Apache Tomcat 10.x < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations

info Nessus Plugin ID 159463

Synopsis

The remote Apache Tomcat server does not have the Spring4Shell (CVE-2022-22965) mitigations

Description

The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.

This version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While this does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version with the Spring4Shell mitigations present.

Note that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Tomcat version 10.0.20 or later.

See Also

http://www.nessus.org/u?2401ae46

Plugin Details

Severity: Info

ID: 159463

File Name: tomcat_10_0_20.nasl

Version: 1.2

Type: combined

Agent: windows, macosx, unix

Family: Web Servers

Published: 4/1/2022

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat

Patch Publication Date: 4/1/2022

Vulnerability Publication Date: 3/31/2022