Hi all. We use Tomcat 9.0.63 and are wondering if it's vulnerable to CVE-2022-42920? I don't see any bcel jar files, like bcel-6.0.jar, but when I scanned all jars for bcel, I found the following 22 classes with bcel in their package name in tomcat-coyote.jar: org/apache/tomcat/util/bcel/Const.class org/apache/tomcat/util/bcel/classfile/AnnotationElementValue.class org/apache/tomcat/util/bcel/classfile/AnnotationEntry.class org/apache/tomcat/util/bcel/classfile/Annotations.class org/apache/tomcat/util/bcel/classfile/ArrayElementValue.class org/apache/tomcat/util/bcel/classfile/ClassElementValue.class org/apache/tomcat/util/bcel/classfile/ClassFormatException.class org/apache/tomcat/util/bcel/classfile/ClassParser.class org/apache/tomcat/util/bcel/classfile/Constant.class org/apache/tomcat/util/bcel/classfile/ConstantClass.class org/apache/tomcat/util/bcel/classfile/ConstantDouble.class org/apache/tomcat/util/bcel/classfile/ConstantFloat.class org/apache/tomcat/util/bcel/classfile/ConstantInteger.class org/apache/tomcat/util/bcel/classfile/ConstantLong.class org/apache/tomcat/util/bcel/classfile/ConstantPool.class org/apache/tomcat/util/bcel/classfile/ConstantUtf8.class org/apache/tomcat/util/bcel/classfile/ElementValue.class org/apache/tomcat/util/bcel/classfile/ElementValuePair.class org/apache/tomcat/util/bcel/classfile/EnumElementValue.class org/apache/tomcat/util/bcel/classfile/JavaClass.class org/apache/tomcat/util/bcel/classfile/SimpleElementValue.class org/apache/tomcat/util/bcel/classfile/Utility.class
Are these classes implicated in CVE-2022-42920? Does Tomcat 9 need to be updated? Thank you in advance, Jerry
