Impact of CVE-2022-25762 Vulnerability on Veritas Desktop and Laptop Option (DLO)

book

Article ID: 100053375

calendar_today

Updated On:

Description

Description

A new vulnerability has been detected in Apache Tomcat versions 8.5.0 - 8.5.75  and  9.0.0.M1 - 9.0.20
 

CVE-2022-25762:

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

https://nvd.nist.gov/vuln/detail/CVE-2022-25762 

 

Affected Versions

All currently released versions of Desktop and Laptop option (DLO) are affected by this vulnerability, if an IO Server is configured in the environment, as we use web socket communications as part of communicating with the IO Server.

See Related Article for details of the Apache, Tomcat, OpenSSL and Log4j versions used in Desktop and Laptop Option (DLO) - https://www.veritas.com/content/support/en_US/article.100048632.html 

 

Resolution

Customers using Desktop and Laptop Option (DLO) 9.7 are advised to use the VxUpdate - Component Update function to download and upgrade to Apache Tomcat 8.5.79, which is not a vulnerable version.

Customers using DLO v9.6 or earlier are advised to upgrade to  DLO 9.7, to make use of the Veritas Update function built into the console.
It is not recommended to manually upgrade Apache Tomcat in DLO 9.6 or earlier, as it has not been qualified to use with those older versions of DLO and unexpected results may be seen. 
 

 

Issue/Introduction

A new vulnerability has been detected in Apache Tomcat versions 8.5.0 - 8.5.75 and 9.0.0.M1 - 9.0.20

CVE-2022-25762:

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. https://nvd.nist.gov/vuln/detail/CVE-2022-25762
Powered by Wolken Software