[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up

2022-05-12 Thread Mark Thomas 

CVE-2022-25762 Apache Tomcat - Request Mix-up

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.20
Apache Tomcat 8.5.0 to 8.5.75

Description:
If a web application sends a WebSocket message concurrently with the 
WebSocket connection closing, it is possible that the application will 
continue to use the socket after it has been closed. The error handling 
triggered in this case could cause the a pooled object to be placed in 
the pool twice. This could result in subsequent connections using the 
same object concurrently which could result in data being returned to 
the wrong use and/or other errors.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later

History:
2022-05-12 Original advisory

Credit:
This issue was identified by the Apache Tomcat security team.

References:
[1] https://tomcat.apache.org/security-9.html
[2] https://tomcat.apache.org/security-8.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Help Needed for Root cause - ApacheTomcat services stopped

2022-05-12 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Hello Sahil,

> -Ursprüngliche Nachricht-
> Von: Verma, Sahil 
> Gesendet: Mittwoch, 11. Mai 2022 20:56
> An: Tomcat Users List 
> Betreff: RE: Help Needed for Root cause - ApacheTomcat services stopped
> 
> Hi Mark,
> Good day!
> 
> Thank you very much for the reply!
> 
> Yes, we are using both Apache & Tomcat environment.
> 
> Apache - 2.4.25 version
> Tomcat - 8.5.5 version
> OS - Linux
> 
> 
> You are correct, we got this error in Apache webserver logs. We are attaching
> both Apache httpd (error.log) and Tomcat (Catalina.out) logs
> 
> Please let us know if any other information required.
> 
> Thanks,
> Sahil
> 
> 
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, May 11, 2022 11:39 PM
> To: users@tomcat.apache.org
> Subject: Re: Help Needed for Root cause - ApacheTomcat services stopped
> 
> That is an Apache Web Server (httpd) log message, not an Apache Tomcat log
> message. Are you sure you are using Apache Tomcat?
> 
> Mark
> 
> 
> On 11/05/2022 19:01, Verma, Sahil wrote:
> > Hi Team,
> >
> >
> >
> > In our production environment, ApacheTomcat services went down. We
> > have checked the logs and found below error -
> >
> >
> >
> > [Thu May 05 10:34:51.441668 2022] [mpm_event:error] [pid 27440:tid
> > 140464737793792] AH00484: server reached MaxRequestWorkers setting,
> > consider raising the MaxRequestWorkers setting
> >
> >
> >
> > Please help to find the root cause of the issue why services got stopped.
> Kindly let us know if any other information required.
> >
> > Apache version - 2.2
> > OS - Linux
> >
> >
> > Thanks,
> > Sahil
> >

Tomcat-Logs looks fine (except some warnings which doesn’t matter here).

The MaxRequestWorkers is documented here:
https://httpd.apache.org/docs/2.4/en/mod/mpm_common.html#maxrequestworkers

You actually have a load or performance issue. This is usually related to your 
application or environment.
You can activate the access-log (either on apache or tomcat side) to view the 
number of requests.
Also log the processing time to see if some requests are taking too long.
Another option would be to activate and check tomcat-manager about the 
currently processed requests or use Apachetop 
(https://linux.die.net/man/1/apachetop)

I can think of two possible cases:
1) Requests are taking too long (performance issue in the application) and thus 
the number of workers get exhausted
2) You have a high load / number or requests. If you still have CPU and memory 
left, you can increase the workers in the Apache configuration

Greetings,
Thomas