On May 12, 2022, Apache released an advisory regarding a high severity vulnerability in Apache Tomcat. The vulnerability, designated CVE-2022-25762, affects Tomcat versions 9.0.0.M1 to 9.0.2o and 8.5.0 to 8.5.75. Apache advises users to upgrade to 9.0.21 or later or 8.5.76 or later to mitigate the vulnerability. A May 16, 2022 advisory from CISA directed users to the Apache announcement, with the agency noting that the vulnerability could allow attackers to obtain sensitive information. As of this writing, little detail is available on the vulnerability.
In their original announcement, Apache noted:
“If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.”
As of this writing, there does not appear to be a NIST CVSS score for the vulnerability but Redhat has rated the CVE a severity score of 8.6. NIST notes that analysis is ongoing. Redhat also noted that the CVE has a potential high impact on confidentiality and low impact on integrity and availability.
As the security community continues to research CVE-2022-25762, the initial impact of the vulnerability is difficult to gauge and the exact level of sophistication and specific methodology needed to exploit is not clear at present. It is not clear if the attacker would be able to control what data they obtain from exploitation or if, like Heartbleed, the exposed data would be random. It is possible that exploitation may require a brute force of an open session and that exposed data would be limited to the prior session, or that exploitation would be simpler and the data affected larger in scope.
RH-ISAC analysts hypothesized a possible exploitation scenario, included here:
If an attacker sends a WebSocket message at exactly the right moment as the connection to User A is closing, that WebSocket object would be dropped back in the pool for another connection to use even though it is not closed. Then a connection to a new User B could grab that same WebSocket object out of the pool, and that new user’s data would be sent to both connections (or at least to the wrong one), so the attacker would receive the data from User B’s session.
RH-ISAC will continue to monitor developments for CVE-2022-25762 and will update the community as new details emerge. RH-ISAC members have additional access to resources such as daily intelligence briefings, as well as peer-to-peer sharing opportunities. Learn more about RH-ISAC membership.