Tomcat 8.5.77 was published on March 17. The Windows distribution contains tcnative-1.dll, version 1.2.31.
Tcnative-1.dll appears to be statically linked to OpenSSL, and was built in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL. The tcnative source tree was updated to "recommend" a new version of OpenSSL six days ago, but the DLL in the 8.5.77 release doesn't appear to have been built with this change. I believe this means that if an APR connector is enabled, that the Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS attack vector. I emailed secur...@tomcat.apache.org<mailto:secur...@tomcat.apache.org> about this, believing that that was the responsible way to bring this to light, but received a pretty nasty email in response that told me that this mailing list was the correct forum. Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) built that contains the remediation for CVE-2022-0778? Is there anything I can do to help? Matthew Mellon CISSP Chief Information Security Officer 828.265.2907 ext 5058 | www.ecrs.com<https://www.ecrs.com/> [cid:image001.png@01D83D1E.16997AA0]
