CVE-2022-45143 Overview
The JsonErrorReportValve in Apache Tomcat contains an improper output encoding vulnerability that allows attackers to inject or manipulate JSON output. The vulnerability exists because the type, message, and description values are not properly escaped before being included in the JSON error response. Since these values can be constructed from user-provided data in certain circumstances, malicious users can supply crafted input that invalidates or manipulates the JSON output structure.
Critical Impact
Attackers can exploit this vulnerability to manipulate JSON error responses, potentially leading to JSON injection attacks that could compromise data integrity or enable further exploitation of downstream systems parsing the malformed JSON.
Affected Products
- Apache Tomcat 8.5.83
- Apache Tomcat 9.0.40 to 9.0.68
- Apache Tomcat 10.1.0-M1 to 10.1.1
Discovery Timeline
- 2023-01-03 - CVE CVE-2022-45143 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-45143
Vulnerability Analysis
This vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output), which occurs when software constructs output using user-controlled input without properly neutralizing special elements that could be interpreted incorrectly by downstream components.
The JsonErrorReportValve is a Tomcat valve that formats error responses as JSON for client applications expecting JSON-formatted error messages. When an error occurs, the valve constructs a JSON response containing the error type, message, and description. The flaw lies in the valve's failure to properly escape these values before embedding them in the JSON structure.
This vulnerability can be exploited over the network without requiring authentication or user interaction. While it does not directly compromise confidentiality or availability, it poses a significant integrity risk by allowing manipulation of the application's JSON output.
Root Cause
The root cause of this vulnerability is the lack of proper JSON escaping routines applied to user-controllable input values before they are concatenated into the JSON error response. The JsonErrorReportValve directly inserts the type, message, and description values into the JSON output without sanitizing special characters such as quotes, backslashes, or control characters that have special meaning in JSON syntax.
Attack Vector
An attacker can exploit this vulnerability by providing specially crafted input that contains JSON control characters or structure elements. When this input is reflected in an error response through the JsonErrorReportValve, it can break out of the intended JSON string context and inject arbitrary JSON content.
The attack can be executed by triggering an error condition where user-supplied data is included in the error message, type, or description fields. For example, submitting a request that causes an exception where the exception message contains attacker-controlled content could result in JSON injection.
When exploited, this vulnerability can manipulate the structure of the JSON response, potentially injecting additional JSON keys/values, corrupting the response parsing by downstream systems, or enabling more sophisticated attacks against applications that consume and trust the JSON error responses without additional validation.
Detection Methods for CVE-2022-45143
Indicators of Compromise
- Malformed JSON responses from Apache Tomcat error pages containing unexpected JSON structures
- Error logs showing unusual characters or escape sequences in error messages processed by JsonErrorReportValve
- Downstream systems reporting JSON parsing failures when processing Tomcat error responses
Detection Strategies
- Monitor application logs for error responses containing suspicious characters such as unescaped quotes, backslashes, or newlines within JSON error messages
- Implement JSON schema validation on downstream systems to detect malformed or manipulated error responses
- Deploy web application firewall (WAF) rules to detect potential JSON injection payloads in incoming requests
Monitoring Recommendations
- Enable verbose logging for the JsonErrorReportValve component to capture all error response generation events
- Configure alerting for any JSON parsing exceptions in systems that consume Tomcat error responses
- Review access logs for patterns of requests designed to trigger error conditions with crafted payloads
How to Mitigate CVE-2022-45143
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version: 8.5.84 or later, 9.0.69 or later, or 10.1.2 or later
- If immediate upgrade is not possible, consider disabling the JsonErrorReportValve and using the default HTML error reporting instead
- Review and audit any downstream systems that parse JSON error responses from Tomcat for additional input validation
Patch Information
Apache has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Apache Tomcat 8.5.x: Upgrade to version 8.5.84 or later
- Apache Tomcat 9.0.x: Upgrade to version 9.0.69 or later
- Apache Tomcat 10.1.x: Upgrade to version 10.1.2 or later
For detailed information, see the Apache Mailing List Thread. Additional advisories are available from Gentoo GLSA 2023-05-37 and NetApp Security Advisory NTAP-20230216-0009.
Workarounds
- Disable the JsonErrorReportValve in the Tomcat configuration if JSON error reporting is not required
- Implement a custom error valve that properly escapes all user-controllable values before including them in JSON output
- Add an intermediary reverse proxy or WAF that sanitizes error responses before they reach clients
# Configuration example: Disable JsonErrorReportValve in server.xml
# Comment out or remove any JsonErrorReportValve configuration
# <Valve className="org.apache.catalina.valves.JsonErrorReportValve" />
# Alternative: Use the default ErrorReportValve instead
# Ensure your Host or Engine element uses the standard valve:
# <Valve className="org.apache.catalina.valves.ErrorReportValve"
# showReport="false"
# showServerInfo="false" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
