CVE-2022-25762 in Agile PLM
Summary
by MITRE • 05/13/2022
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/14/2022
The vulnerability identified as CVE-2022-25762 represents a critical concurrency issue within Apache Tomcat's WebSocket implementation that stems from improper resource management during connection lifecycle transitions. This flaw specifically affects versions ranging from Apache Tomcat 8.5.0 through 8.5.75 and 9.0.0.M1 through 9.0.20, creating a scenario where WebSocket connections can enter an inconsistent state when simultaneous operations occur during the connection closing process. The underlying technical root cause involves the WebSocket message handling mechanism failing to properly synchronize access to socket resources when concurrent operations attempt to send messages while the connection is being terminated.
The operational impact of this vulnerability manifests through a dangerous condition where a pooled socket object can be added to the connection pool twice, creating a scenario that violates fundamental resource management principles. When this occurs, subsequent WebSocket connections may inadvertently reuse the same socket object concurrently, leading to severe data integrity issues where responses intended for one client could be delivered to another client. This behavior directly violates the principle of resource isolation and can result in cross-contamination of sensitive data, session hijacking, or other forms of information leakage that compromise the confidentiality and integrity of web applications.
From a security perspective, this vulnerability aligns with CWE-362, which addresses concurrent execution using a resource or channel inappropriately, and represents a classic example of a race condition in resource management. The flaw also maps to ATT&CK technique T1190, which covers exploitation of vulnerabilities in web applications, as it enables attackers to potentially manipulate WebSocket connections for unauthorized data access. The vulnerability's impact extends beyond simple data corruption, as it can enable attackers to exploit the concurrent access patterns to perform session manipulation, data injection, or even execute arbitrary code within the application context, depending on the specific implementation details of affected applications.
Organizations affected by this vulnerability should immediately implement mitigations including updating to Apache Tomcat versions 8.5.76 or 9.0.21, which contain the necessary patches to address the concurrent resource management issue. Additionally, application-level protections should include implementing proper connection state validation, adding explicit synchronization mechanisms for WebSocket operations, and monitoring for unusual patterns in connection pooling behavior. Network-level mitigations such as implementing proper connection timeouts and connection limiting can help reduce the attack surface, while application developers should ensure that WebSocket message handling code includes robust error checking and proper resource cleanup procedures that prevent the use of closed socket resources. The vulnerability demonstrates the critical importance of proper resource lifecycle management in concurrent environments and highlights the need for comprehensive testing of connection handling code under stress conditions.