[thredds] Fwd: [SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Wed, 26 Jan 2022 17:38:15 -0700
Hello all,

A new CVE for Tomcat was announced. While the severity of it is listed as
'low' we encourage everyone to stay on top of their tomcat and TDS upgrades
and run the most current versions available.

This is also a good time to remind everyone to run their servlet containers
as an underprivileged user and never as the root user (see CVE details).
For more information about running your servlet container with the correct
permissions, please see:
https://docs.unidata.ucar.edu/tds/current/userguide/tomcat_permissions.html

Cheers,
Jennifer

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Jan 26, 2022 at 4:13 AM
Subject: [SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2022-23181 Apache Tomcat Local Privilege Escalation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M8
Apache Tomcat 10.0.0-M5 to 10.0.14
Apache Tomcat 9.0.35 to 9.0.56
Apache Tomcat 8.5.55 to 8.5.73

Description:
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability that allowed a local attacker to perform actions with the
privileges of the user that the Tomcat process is using. This issue is
only exploitable when Tomcat is configured to persist sessions using the
FileStore.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M10 or later
- Upgrade to Apache Tomcat 10.0.16 or later
- Upgrade to Apache Tomcat 9.0.58 or later
- Upgrade to Apache Tomcat 8.5.75 or later

Note: This issue was fixed in Apache Tomcat 10.1.0-M9, 10.0.15, 9.0.57
and 8.5.74 but the release vote for those release candidates did not
pass. Therefore, although users must download 10.1.0-M10, 10.0.16,
9.0.58 or 8.5.75 to obtain a version that includes a fix for this issue,
versions 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 are not included in the
list of affected versions.

History:
2022-01-26 Original advisory

Credit:
This issue was reported to the Apache Tomcat Security team by Trung Pham
of Viettel Cyber Security.

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
  • 2022 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: