CVE-2022-29885: 
Java vulnerability analysis and mitigation

The documentation of Apache Tomcat versions 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62, and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. While the EncryptInterceptor provides confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks (Apache Mailing List, NVD).

The vulnerability has been assigned CVE-2022-29885 with a CVSS v3.1 Base Score of 7.5 (HIGH) and vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue specifically relates to the EncryptInterceptor component's documentation which incorrectly implied complete protection for clustering over untrusted networks (NVD).

The primary impact of this vulnerability is potential Denial of Service (DoS) risks when running Tomcat clustering over untrusted networks. While the EncryptInterceptor provides confidentiality and integrity protection, it does not protect against all network-based risks (NetApp Advisory).

The issue has been addressed in Apache Tomcat versions 8.5.79, 9.0.63, 10.0.21, and later. Organizations should upgrade to these or newer versions to ensure accurate documentation of security capabilities (Debian Advisory).