Login Sign Up

CVE-2022-23181

7.0 HIGH

📋 TL;DR

This CVE describes a time-of-check-time-of-use (TOCTOU) vulnerability in Apache Tomcat that allows local attackers to escalate privileges. The vulnerability only affects systems where Tomcat is configured to persist sessions using FileStore. Attackers can perform actions with the privileges of the Tomcat process user.

💻 Affected Systems

Products:
  • Apache Tomcat
Versions: Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56, 8.5.55 to 8.5.73
Operating Systems: All operating systems running affected Tomcat versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when configured to use FileStore for session persistence. Default configuration uses MemoryStore which is not affected.

📦 What is this software?

Agile Engineering Data Management by Oracle

View all CVEs affecting Agile Engineering Data Management →

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Financial Services Crime And Compliance Management Studio by Oracle

View all CVEs affecting Financial Services Crime And Compliance Management Studio →

Financial Services Crime And Compliance Management Studio by Oracle

View all CVEs affecting Financial Services Crime And Compliance Management Studio →

Managed File Transfer by Oracle

View all CVEs affecting Managed File Transfer →

Managed File Transfer by Oracle

View all CVEs affecting Managed File Transfer →

Mysql Enterprise Monitor by Oracle

View all CVEs affecting Mysql Enterprise Monitor →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full control of the Tomcat process, potentially leading to complete system compromise if Tomcat runs with elevated privileges.

🟠

Likely Case

Local attacker modifies session data, potentially hijacking user sessions or executing arbitrary code within Tomcat context.

🟢

If Mitigated

Minimal impact if Tomcat runs with minimal privileges and proper access controls are in place.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: MEDIUM - Internal attackers with local access could exploit this to escalate privileges on affected Tomcat servers.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access to the system and specific FileStore configuration. Exploitation involves race condition timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tomcat 10.1.0-M9, 10.0.15, 9.0.57, 8.5.74 and later

Vendor Advisory: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

Restart Required: Yes

Instructions:

1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.

🔧 Temporary Workarounds

Disable FileStore Session Persistence

all

Switch from FileStore to MemoryStore or other session persistence methods

Modify context.xml or server.xml to remove or comment out <Manager className="org.apache.catalina.session.PersistentManager" saveOnRestart="true"> configuration

Restrict File Permissions

linux

Set strict permissions on Tomcat session directory

chmod 700 $CATALINA_BASE/work/Catalina/localhost
chown tomcat:tomcat $CATALINA_BASE/work/Catalina/localhost

🧯 If You Can't Patch

  • Run Tomcat with minimal privileges using a dedicated low-privilege user account
  • Implement strict access controls to prevent local users from accessing Tomcat server

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and session persistence configuration. If using FileStore and version is in affected range, system is vulnerable.

Check Version:

java -cp $CATALINA_HOME/lib/catalina.jar org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Verify Tomcat version is 10.1.0-M9+, 10.0.15+, 9.0.57+, or 8.5.74+

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file access attempts in Tomcat logs
  • Session corruption or modification events

Network Indicators:

  • None - this is a local attack

SIEM Query:

source="tomcat" AND (event="session_corruption" OR event="file_access_violation")

📊 Metadata

CVE ID: CVE-2022-23181
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-367
Published: January 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23181, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)