Question about CVE-2022.29885

Question

Has anyone verified if CVE-2022.29885 has been backported to Tomcat 9.0.58-1ubuntu0.1 in Ubuntu 22.04? If so, could this be a false positive from Nessus, since it flags any version prior to 9.0.63 as vulnerable? Alternatively, is the version still vulnerable unless using Ubuntu Pro to upgrade to 9.0.58-1ubuntu0.1+esm2?

Just trying to clarify if the CVE is actually addressed in the Ubuntu package or if Nessus is mistakenly flagging it based on version number alone.

score 0 · Answer 1 · answered Feb 26 '25 at 20:52

The version of tomcat9 in Ubuntu 22.04 without Ubuntu Pro does not have the associated fix for CVE-2022-29885. It's also worth saying that this particular CVE regarded an issue with documentation, and so in Ubuntu Pro we did a documentation only fix. We do also have a handful of other fixes available in 22.04 Ubuntu Pro for tomcat9 such as the five mentioned in this notice https://ubuntu.com/security/notices/USN-7106-1

Question about CVE-2022.29885

1 Answers1