CVE-2022-25762 Overview
CVE-2022-25762 is a race condition vulnerability affecting Apache Tomcat that occurs when a web application sends a WebSocket message concurrently with the WebSocket connection closing. This timing issue can cause the application to continue using a socket after it has been closed, leading to improper resource release (CWE-404). The error handling triggered in this scenario could cause a pooled object to be placed in the pool twice, resulting in subsequent connections using the same object concurrently, which could lead to data being returned to the wrong user and other errors.
Critical Impact
This vulnerability enables potential information disclosure where data may be returned to the wrong user due to concurrent object reuse in the connection pool, along with possible integrity and availability impacts.
Affected Products
- Apache Tomcat 8.5.0 to 8.5.75
- Apache Tomcat 9.0.0.M1 to 9.0.20
- Oracle Agile PLM 9.3.6
Discovery Timeline
- 2022-05-13 - CVE-2022-25762 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25762
Vulnerability Analysis
This vulnerability stems from improper resource release during WebSocket connection lifecycle management in Apache Tomcat. When a web application attempts to send a WebSocket message at the same time the connection is being closed, a race condition occurs. The concurrent timing of these operations causes the application to reference a socket that has already been closed.
The flaw is particularly concerning because of its impact on the connection pooling mechanism. When the error handling logic is triggered due to the closed socket condition, it can inadvertently place a pooled connection object back into the pool twice. This double-pooling creates a situation where multiple threads may simultaneously access and use the same connection object, violating the expected isolation between different users' sessions.
The consequences of this race condition include potential data leakage between users (confidentiality impact), possible data corruption (integrity impact), and service instability (availability impact). The vulnerability can be exploited over the network without authentication, though triggering it requires specific timing conditions during WebSocket operations.
Root Cause
The root cause is improper resource release (CWE-404) in Apache Tomcat's WebSocket implementation. The error handling code path does not properly track whether a pooled object has already been returned to the pool, allowing for duplicate pool insertions when a WebSocket message send operation races with connection closure.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker would need to establish WebSocket connections to a vulnerable Tomcat server and manipulate the timing of message sends and connection closures to trigger the race condition. While no public exploit is currently available, the attack could theoretically be performed by:
- Establishing multiple WebSocket connections to the target application
- Initiating message sends while simultaneously triggering connection closures
- Exploiting the resulting pool corruption to intercept data intended for other users
The vulnerability mechanism involves concurrent access to shared resources without proper synchronization. When a WebSocket message is being written as the connection closes, the socket state becomes inconsistent. The error handler attempts recovery by releasing the connection object back to the pool, but the object may already be queued for return, resulting in duplicate pool entries. Subsequent connection requests may then receive the same object, causing data cross-contamination between sessions.
Detection Methods for CVE-2022-25762
Indicators of Compromise
- Unexpected data appearing in WebSocket responses that belongs to different user sessions
- Application logs showing NullPointerException or socket-related errors during WebSocket operations
- Increased frequency of connection pool-related warnings in Tomcat logs
- Users reporting seeing data or responses meant for other users
Detection Strategies
- Monitor Tomcat application logs for java.net.SocketException errors occurring during WebSocket message transmission
- Implement application-level logging to track WebSocket message routing and identify cross-session data leakage
- Use network monitoring tools to detect anomalous patterns in WebSocket connection lifecycle events
- Deploy runtime application security solutions to detect improper session handling
Monitoring Recommendations
- Enable detailed logging for WebSocket handlers and connection pool management in Tomcat
- Implement correlation IDs for WebSocket sessions to trace data flow and detect cross-session contamination
- Set up alerts for unusual spikes in WebSocket connection errors or pool management exceptions
- Review application audit logs for instances where users access data outside their authorized scope
How to Mitigate CVE-2022-25762
Immediate Actions Required
- Upgrade Apache Tomcat 8.5.x installations to version 8.5.76 or later
- Upgrade Apache Tomcat 9.0.x installations to version 9.0.21 or later
- Review and apply Oracle's July 2022 Critical Patch Update for Oracle Agile PLM environments
- Audit application code to ensure proper WebSocket connection lifecycle management
Patch Information
Apache has released patched versions that address this race condition vulnerability. Affected users should upgrade to:
- Apache Tomcat 8.5.x: Upgrade to version 8.5.76 or later
- Apache Tomcat 9.0.x: Upgrade to version 9.0.21 or later
For detailed patch information, refer to the Apache Mailing List Thread. Oracle users should consult the Oracle July 2022 Security Alert for Agile PLM-specific guidance. Additional vendor guidance is available in the NetApp Security Advisory NTAP-20220629-0003.
Workarounds
- Implement application-level synchronization around WebSocket send operations to prevent concurrent access during connection closure
- Configure connection pool validation to detect and remove corrupted pool entries before reuse
- Use a web application firewall (WAF) to rate-limit WebSocket connections, reducing the opportunity for race condition exploitation
- Consider disabling WebSocket functionality if not required by the application until patches can be applied
# Configuration example for connection pool validation in server.xml
# Add validationQuery and testOnBorrow to your connection pool configuration
# to help detect corrupted connections before reuse
# Example CATALINA_OPTS to enable detailed WebSocket logging for monitoring
export CATALINA_OPTS="$CATALINA_OPTS -Dorg.apache.tomcat.websocket.LOGGING_LEVEL=FINE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
