CVE-2022-25762 Web apps that use WebSockets after Tomcat 8.5.0 to 8.5.75 or Tomcat 9.0.0.M1 to 9.0.20 can send messages END>

CVE-2022-25762 Web apps that use WebSockets after Tomcat 8.5.0 to 8.5.75 or Tomcat 9.0.0.M1 to 9.0.20 can send messages

END>

To work around this issue, you can set the value of the TomcatConnectors.EnablePooling property to false when deploying the application on Tomcat 8.5.75 or later. Alternatively, you can upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 9.0.20 or later. For example: {code} Connector port="8080" address="127.0.0.1" enablePooling="false" jmxConnector="0" /> {/code} This issue has been fixed in Apache Tomcat 9.0.21 and later. If you are running an earlier version of Apache Tomcat, you can upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 8.5.75 or later. For example: {code} Connector port="8080" address="127.0.0.1" enablePooling="false" jmxConnector="0" /> {/code}

How to find the version of Apache Tomcat you are running?

You can find the version of Apache Tomcat you are running by opening a terminal and typing:
{code} cat /usr/lib/jvm/java-8-openjdk-amd64/bin/java
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b13)
JVM Version 8.0_144-b13 Java HotSpot(TM) 64-Bit Server VM (build 25.144-b24, mixed mode)
Tomcat Connectors 9.0.

Tomcat Connector for Apache Thrift

If you are experiencing this issue when running your application on Tomcat 8.5.75 or later, you should set the value of the TomcatConnectors.EnablePooling property to false when deploying the application on Tomcat 8.5.75 or later or upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 9.0.20 or later (see "Tomcat Connector for Apache Thrift" in this section). If you are running an earlier version of Apache Tomcat, you can upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 8.5.75 or later (see "Tomcat Connector for Apache Thrift" in this section).

Tomcat 8.0.x – CVE-2019-12044

To work around this issue, you can set the value of the TomcatConnectors.EnablePooling property to false when deploying the application on Tomcat 8.5.75 or later. Alternatively, you can upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 9.0.20 or later. For example: {code} Connector port="8080" address="127.0.0.1" enablePooling="false" jmxConnector="0" /> {/code} This issue has been fixed in Apache Tomcat 9.0.21 and later. If you are running an earlier version of Apache Tomcat, you can upgrade your application to use a different connector by setting the value of the TomcatConnectors.JmxConnector property to a non-zero value when deploying the application on Tomcat 8.5.75 or later. For example: {code} Connector port="8080" address="127.0.0.1" enablePooling="false" jmxConnector="0" /> {/code}

How to test if you are impacted by this issue?

To check whether or not you are impacted by this issue, perform the following steps:
- Download Apache Tomcat 9.0.20

- Unzip it to your local machine
- Execute the following commands in a command prompt window:
C:\apache-tomcat-9.0.20>c:\apache-tomcat-9.0.20\bin\httpd.exe -Djava.security.auth.login_config="C:/Apache Tomcat/conf/jmxremote" -cp c:\apache-tomcat-9.0.20\bin C:\Apache Tomcat\bin\bootstrap.jar org.apache.tomcat.util.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe