Apache Tomcat 9

The plugin title is misleading. tenable:159464 keys off CVE-2021-43980, which is an Apache Tomcat information disclosure race condition, not the actual Spring4Shell RCE (CVE-2022-22965). Apache lists affected Tomcat 9 versions as 9.0.0-M1 through 9.0.60, fixed in the 9.0.61 code line and shipped to users in 9.0.62; Debian and distro builds may be fixed through backports even when the package version string is older.

Apache labeled the Tomcat issue High because cross-client response leakage can expose one user's data to another. In practice, Tenable's Low call is closer to operational reality for enterprise patch triage: exploitation is described by Apache as extremely hard to trigger, impact is confidentiality-only, and there is no credible evidence that CVE-2021-43980 became an internet-scale exploit path. The dangerous thing here is mostly the title collision with Spring4Shell, which can trick teams into over-prioritizing the wrong CVE.

Why this verdict

• Not Spring4Shell: the title reuses the 9.0.62 fix milestone that also appeared in Spring4Shell guidance, but the CVE here is a different bug with much lower operational risk
• High-complexity race: the core exploit prerequisite is precise concurrency timing, which compounds downward pressure on severity even before you ask whether the service is exposed
• Confidentiality-only blast radius: successful exploitation leaks responses between clients; it does not directly yield code execution, persistence, or domain-wide lateral movement
• No strong exploitation evidence: no KEV entry or credible mainstream exploit use was found for CVE-2021-43980, unlike the actual Spring4Shell ecosystem panic and KEV listing around CVE-2022-22965
• Exposure is narrower in real estates: many Tomcat servers are internal, reverse-proxied, or distro-backported, which further shrinks the reachable population

Why not higher?

If this were the actual Spring4Shell RCE path, or if there were reliable public exploitation and host-compromise outcomes, this would move up fast. But CVE-2021-43980 is a hard-to-hit race with confidentiality-only impact, so the classic internet-facing-RCE logic does not apply.

Why not lower?

This is still a remotely reachable server-side flaw that can cross session boundaries and leak one user's data to another, which matters for customer-facing or regulated apps. If you know you run affected upstream Tomcat on exposed systems, it deserves cleanup rather than a pure ignore decision.

1. Validate the finding against package provenance — Check whether the Tomcat instance is an upstream install or a distro package with backported fixes. Do this during normal triage because LOW has no SLA; a backported Debian/Ubuntu package can be fixed even when the visible Tomcat train looks older.
2. Prioritize internet-facing multi-user Tomcat first — If you do patch this issue, start with public applications where concurrent user traffic could make cross-client response leakage meaningful. For a LOW verdict there is no mitigation SLA and no remediation SLA beyond backlog hygiene, so fold it into the next normal Tomcat maintenance cycle unless business sensitivity justifies acceleration.
3. Review for reverse-proxy containment — Confirm exposed Tomcat nodes are behind your standard reverse proxy, LB, and TLS edge controls. This does not fix the bug, but it reduces raw direct reachability and should be maintained as part of standard platform hygiene with no specific LOW-deadline SLA.
4. Watch for session-mix anomalies — Ask app owners whether they have seen users receiving the wrong page, partial response, or another user's session content. That operational check is cheap and useful because successful exploitation would look like application weirdness, not malware execution.

Run this on the target Tomcat host as the Tomcat service account or any user who can read the installation directory. Invoke it as bash check_tomcat_cve_2021_43980.sh /opt/tomcat or let it autodetect common locations; root is not required unless the install path is locked down.

#!/usr/bin/env bash
# check_tomcat_cve_2021_43980.sh
# Detect likely exposure to CVE-2021-43980 on Apache Tomcat 9.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_DIR="${1:-}"
VERSION=""
SOURCE=""

find_version() {
  local base="$1"
  if [ -f "$base/bin/catalina.sh" ]; then
    VERSION=$("$base/bin/catalina.sh" version 2>/dev/null | awk -F': ' '/Server number/ {print $2; exit}')
    if [ -n "$VERSION" ]; then
      SOURCE="$base/bin/catalina.sh"
      return 0
    fi
  fi

  if [ -f "$base/lib/catalina.jar" ] && command -v unzip >/dev/null 2>&1; then
    VERSION=$(unzip -p "$base/lib/catalina.jar" org/apache/catalina/util/ServerInfo.properties 2>/dev/null | awk -F'=' '/server.number/ {print $2; exit}')
    if [ -n "$VERSION" ]; then
      SOURCE="$base/lib/catalina.jar"
      return 0
    fi
  fi

  return 1
}

try_pkg_mgr() {
  if command -v dpkg-query >/dev/null 2>&1; then
    local pkgv
    pkgv=$(dpkg-query -W -f='${Version}\n' tomcat9 2>/dev/null || true)
    if [ -n "$pkgv" ]; then
      echo "UNKNOWN: Debian/Ubuntu package tomcat9 version $pkgv detected. Distro backports may already include the fix; verify against vendor advisory."
      exit 2
    fi
  fi

  if command -v rpm >/dev/null 2>&1; then
    local pkgv
    pkgv=$(rpm -q --qf '%{VERSION}-%{RELEASE}\n' tomcat tomcat9 2>/dev/null | head -n1 || true)
    if [ -n "$pkgv" ] && [ "$pkgv" != "package tomcat is not installed" ]; then
      echo "UNKNOWN: RPM Tomcat package $pkgv detected. Vendor backports may already include the fix; verify against your distro advisory."
      exit 2
    fi
  fi
}

check_upstream_9x() {
  local ver="$1"
  # Accept forms like 9.0.60 or 9.0.62-SNAPSHOT
  local clean major minor patch
  clean=$(echo "$ver" | sed 's/[^0-9.].*$//')
  IFS='.' read -r major minor patch <<< "$clean"

  if [ -z "${major:-}" ] || [ -z "${minor:-}" ] || [ -z "${patch:-}" ]; then
    echo "UNKNOWN: Could not parse Tomcat version '$ver'"
    exit 2
  fi

  if [ "$major" -ne 9 ]; then
    echo "UNKNOWN: This check is for Tomcat 9; detected version '$ver'"
    exit 2
  fi

  if [ "$minor" -ne 0 ]; then
    echo "UNKNOWN: Unexpected Tomcat 9 version format '$ver'"
    exit 2
  fi

  if [ "$patch" -le 60 ]; then
    echo "VULNERABLE: Upstream Tomcat $ver is in the affected 9.0.0-M1 to 9.0.60 range for CVE-2021-43980"
    exit 1
  fi

  if [ "$patch" -ge 62 ]; then
    echo "PATCHED: Upstream Tomcat $ver is at or above 9.0.62"
    exit 0
  fi

  if [ "$patch" -eq 61 ]; then
    echo "UNKNOWN: 9.0.61 was a non-shipping release candidate line; verify build provenance manually"
    exit 2
  fi

  echo "UNKNOWN: Unhandled version case '$ver'"
  exit 2
}

if [ -n "$TARGET_DIR" ]; then
  if find_version "$TARGET_DIR"; then
    echo "Detected version $VERSION from $SOURCE"
    check_upstream_9x "$VERSION"
  else
    echo "UNKNOWN: Could not determine Tomcat version from $TARGET_DIR"
    exit 2
  fi
fi

for d in /opt/tomcat /usr/share/tomcat /usr/share/tomcat9 /usr/local/tomcat /var/lib/tomcat9; do
  if [ -d "$d" ] && find_version "$d"; then
    echo "Detected version $VERSION from $SOURCE"
    check_upstream_9x "$VERSION"
  fi
done

try_pkg_mgr

echo "UNKNOWN: No Tomcat installation found or version could not be determined"
exit 2

Sources

1. Tenable plugin 159464
2. Apache Tomcat 9 security page
3. CVE record for CVE-2021-43980
4. NVD entry for CVE-2021-43980
5. Spring advisory for real Spring4Shell (CVE-2022-22965)
6. CISA alert on Spring4Shell
7. CISA Known Exploited Vulnerabilities Catalog
8. Debian security tracker for CVE-2021-43980