[SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation

[Mark Thomas <ma...@apache.org>]

CVE-2022-23181 Apache Tomcat Local Privilege Escalation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M8
Apache Tomcat 10.0.0-M5 to 10.0.14
Apache Tomcat 9.0.35 to 9.0.56
Apache Tomcat 8.5.55 to 8.5.73

Description:
The fix for bug CVE-2020-9484 introduced a time of check, time of use 
vulnerability that allowed a local attacker to perform actions with the 
privileges of the user that the Tomcat process is using. This issue is 
only exploitable when Tomcat is configured to persist sessions using the 
FileStore.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M10 or later
- Upgrade to Apache Tomcat 10.0.16 or later
- Upgrade to Apache Tomcat 9.0.58 or later
- Upgrade to Apache Tomcat 8.5.75 or later

Note: This issue was fixed in Apache Tomcat 10.1.0-M9, 10.0.15, 9.0.57 
and 8.5.74 but the release vote for those release candidates did not 
pass. Therefore, although users must download 10.1.0-M10, 10.0.16, 
9.0.58 or 8.5.75 to obtain a version that includes a fix for this issue, 
versions 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 are not included in the 
list of affected versions.

History:
2022-01-26 Original advisory

Credit:
This issue was reported to the Apache Tomcat Security team by Trung Pham
of Viettel Cyber Security.

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html