CVE-2022-23181 Overview
CVE-2022-23181 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Apache Tomcat that was inadvertently introduced while fixing CVE-2020-9484. This vulnerability affects Apache Tomcat versions 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56, and 8.5.55 to 8.5.73. The flaw allows a local attacker to perform actions with the privileges of the Tomcat process user when Tomcat is configured to persist sessions using the FileStore.
Critical Impact
Local attackers can escalate privileges to the Tomcat process user level, potentially compromising session data integrity and executing unauthorized actions on systems using FileStore session persistence.
Affected Products
- Apache Tomcat 10.1.0-M1 to 10.1.0-M8
- Apache Tomcat 10.0.0-M5 to 10.0.14
- Apache Tomcat 9.0.35 to 9.0.56
- Apache Tomcat 8.5.55 to 8.5.73
- Oracle Agile Engineering Data Management 6.2.1.0
- Oracle Communications Cloud Native Core Policy 1.15.0
- Oracle Financial Services Crime and Compliance Management Studio 8.0.8.2.0 and 8.0.8.3.0
- Oracle Managed File Transfer 12.2.1.3.0 and 12.2.1.4.0
- Oracle MySQL Enterprise Monitor
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2022-01-27 - CVE-2022-23181 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23181
Vulnerability Analysis
This vulnerability is classified as CWE-367 (Time-of-Check Time-of-Use Race Condition). The flaw was introduced as a regression during the remediation of a prior deserialization vulnerability (CVE-2020-9484) in Apache Tomcat's session persistence mechanism.
When Tomcat is configured to use the FileStore for session persistence, there exists a time window between the security check (validating session file access) and the actual use of that file. A local attacker who can time their actions precisely during this window can manipulate the session file operations to execute actions with the elevated privileges of the Tomcat process.
The attack requires local access to the system and the ability to write to the session storage directory, making it exploitable only in specific deployment configurations. Organizations running Tomcat with FileStore session persistence in multi-user environments are particularly at risk.
Root Cause
The root cause stems from the security fix for CVE-2020-9484, which introduced an improper synchronization mechanism in the FileStore session persistence code. The fix created a race condition where the time between checking file permissions and actually operating on the file creates an exploitable window. During this gap, an attacker can substitute or modify the session file, causing Tomcat to operate on a malicious file with its process privileges.
Attack Vector
The attack vector is local, requiring the attacker to have access to the same system where Tomcat is running. The attacker must be able to:
- Identify that Tomcat is configured to use FileStore for session persistence
- Locate the session storage directory
- Time file operations to exploit the race condition window
- Substitute or manipulate session files between the check and use operations
This attack is most feasible in shared hosting environments or systems where multiple users have access to the Tomcat server filesystem. The exploitation requires precise timing and local filesystem access, which limits the attack surface but can be devastating when successful.
Detection Methods for CVE-2022-23181
Indicators of Compromise
- Unexpected file modifications in the Tomcat session storage directory (typically $CATALINA_HOME/work/Catalina/<hostname>/<webapp>/)
- Unusual process activity under the Tomcat user account
- Rapid file creation and deletion patterns in session directories indicating race condition exploitation attempts
Detection Strategies
- Monitor filesystem operations on session storage directories for suspicious timing patterns
- Implement file integrity monitoring (FIM) on Tomcat's session persistence directories
- Review Tomcat access logs for anomalous session ID patterns that might indicate session manipulation
Monitoring Recommendations
- Enable detailed audit logging for the Tomcat process user and session directory access
- Configure SIEM alerts for unusual local privilege escalation patterns involving the Tomcat user
- Monitor for rapid consecutive file operations in FileStore directories that could indicate exploitation attempts
How to Mitigate CVE-2022-23181
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version: 10.1.0-M10 or later, 10.0.16 or later, 9.0.58 or later, or 8.5.75 or later
- If immediate patching is not possible, disable FileStore session persistence and switch to alternative session managers
- Review and restrict filesystem permissions on session storage directories to limit local user access
Patch Information
Apache has released security patches addressing this vulnerability. Administrators should update to the following minimum versions:
- Tomcat 10.1.x: Update to 10.1.0-M10 or later
- Tomcat 10.0.x: Update to 10.0.16 or later
- Tomcat 9.0.x: Update to 9.0.58 or later
- Tomcat 8.5.x: Update to 8.5.75 or later
For detailed patch information, refer to the Apache Mailing List Thread and the Oracle Critical Patch Update April 2022.
Workarounds
- Disable FileStore session persistence by configuring an alternative session manager such as PersistentManager with JDBCStore or in-memory session storage
- Restrict local user access to the Tomcat server to minimize the attack surface
- Implement strict filesystem permissions on the session storage directory, limiting access exclusively to the Tomcat process user
# Configuration example - Switch from FileStore to JDBC session persistence
# In context.xml, replace FileStore configuration with JDBCStore:
# Remove or comment out FileStore configuration:
# <Manager className="org.apache.catalina.session.PersistentManager">
# <Store className="org.apache.catalina.session.FileStore"/>
# </Manager>
# Or restrict session directory permissions (temporary workaround):
chmod 700 $CATALINA_HOME/work/Catalina/localhost/
chown tomcat:tomcat $CATALINA_HOME/work/Catalina/localhost/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
