← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:160894 · CWE-400 · Disclosed 2022-05-10

Apache Tomcat 9

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a warning label fix, not a new hole in the hull

The issue behind tenable:160894 is CVE-2022-29885, fixed in Apache Tomcat 9.0.63. Affected upstream Tomcat versions are 9.0.13 through 9.0.62 for the 9.x line. The bug is not classic HTTP-side remote code execution; it is a documentation flaw around Tomcat clustering's EncryptInterceptor, which incorrectly implied that clustered Tomcat nodes could safely run over an *untrusted* network. In reality, confidentiality and integrity were improved, but DoS risk remained.

Reality is much milder than the 7.5 CVSS and Tenable plugin severity make it look. To matter, the target must be a clustered Tomcat deployment, EncryptInterceptor must be in play, and the attacker must be able to reach the cluster replication path, which is typically an internal-only design. Apache itself rated this issue Low, and that is much closer to enterprise patching reality than version-only scanner output.

"This is version-only scanner noise unless you actually run Tomcat clustering with EncryptInterceptor across an untrusted network."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a Tomcat node that actually uses clustering

The attacker first needs a Tomcat deployment with SimpleTcpCluster or equivalent enabled, not just any Tomcat server in the vulnerable version range. This immediately cuts exposure down because many Tomcat installs are standalone app containers behind a load balancer, with no Tribes clustering enabled at all.
Conditions required:
  • Target runs Tomcat 9.0.13 to 9.0.62
  • Tomcat clustering is enabled
  • Attacker can identify the cluster channel or relevant node
Where this breaks in practice:
  • Most scanner hits are version-only and do not prove clustering is enabled
  • Many enterprise Tomcat instances are single-node or use external session/state mechanisms
  • Cluster services are commonly segmented off from internet-facing paths
Detection/coverage: Traditional vuln scanners detect the version range well, but they usually cannot validate applicability because they do not parse server.xml for cluster config or test cluster reachability.
STEP 02

Reach the Tribes receiver and membership path

Tomcat clustering typically uses multicast membership and a TCP receiver for replication traffic. Apache's cluster documentation shows default membership on multicast 228.0.0.4:45564 and a receiver port in the 4000-4100 range, so the attacker needs network adjacency or routing to that plane rather than mere access to the web app on 8080/8443.
Conditions required:
  • Attacker has network path to cluster receiver port(s)
  • Firewalls or SGs allow access to the cluster plane
  • Deployment spans an untrusted or reachable network segment
Where this breaks in practice:
  • This is usually internal-network exposure, not generic unauthenticated internet HTTP reachability
  • Multicast often does not traverse routed boundaries
  • Good segmentation or host firewalls break the path immediately
Detection/coverage: Exposure management can flag open 4000-4100 or unusual east-west reachability, but service fingerprinting is weak; port exposure alone does not prove Tomcat Tribes.
STEP 03

Send crafted cluster traffic using public DoS tooling

Public exploit references exist, including a Packet Storm DoS reference that NVD lists for this CVE. The practical effect is not code execution or tenant escape; it is the ability to abuse the cluster communication assumptions and drive availability impact against the node or cluster service.
Conditions required:
  • A public PoC or custom crafted packet generator is available
  • Receiver path is reachable
  • Defender relied on EncryptInterceptor as sufficient protection for hostile networks
Where this breaks in practice:
  • PoC quality is limited compared with mainstream web RCE tooling
  • This is niche knowledge around Tomcat Tribes rather than commodity exploit spray
  • No reviewed source showed broad in-the-wild exploitation
Detection/coverage: Network telemetry may show unexpected traffic to cluster ports; host telemetry may show JVM instability, service restart, or resource exhaustion rather than clean exploit traces.
STEP 04

Cause service disruption, not full compromise

The impact is DoS-oriented. There is no reviewed evidence here of an HTTP-side pre-auth takeover path, credential theft, or arbitrary code execution from this CVE alone; the blast radius is operational disruption of the affected clustered nodes.
Conditions required:
  • Traffic reaches the affected cluster service
  • Target is deployed in the risky topology the docs implied was safe
Where this breaks in practice:
  • Availability-only impact narrows urgency versus auth bypass or RCE
  • Blast radius is bounded to the clustered deployment that made the unusual trust decision
Detection/coverage: EDR and service monitors are more likely to catch the effect than the cause: JVM crashes, restarts, OOM conditions, or failed session replication.
03 · Intelligence Metadata

The supporting signals.

Primary issueCVE-2022-29885 is a Tomcat clustering/EncryptInterceptor documentation flaw leading to residual DoS risk on untrusted networks.
In-the-wild statusNo reviewed evidence of active exploitation and not found in CISA KEV in the sources reviewed.
PoC availabilityThere is a public Packet Storm DoS reference linked from NVD/CVE references, and Tenable marks the issue as exploitable, but this is not broad commodity tradecraft.
EPSSFeedly reports EPSS 3.16% with 89.9th percentile for CVE-2022-29885, which is elevated for a low-practicality bug but still far from 'drop everything' territory.
KEV statusNot KEV-listed in the reviewed CISA sources.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5). This overstates real enterprise risk because it models generic network reachability, not the real prerequisite of reachable Tomcat clustering over an untrusted network.
Affected versionsUpstream Apache says Tomcat 9.0.13 to 9.0.62 are affected on the 9.x line; other affected lines are 8.5.38-8.5.78, 10.0.0-M1-10.0.20, and 10.1.0-M1-10.1.0-M14.
Fixed versionsUpstream fixed in 9.0.63 on 9.x. Distros may backport: Debian bullseye fixed with 9.0.43-2~deb11u4; Ubuntu 22.04 ESM fixed with 9.0.58-1ubuntu0.1+esm2.
Exposure realityApache cluster docs show default membership multicast 228.0.0.4:45564 and a TCP replication receiver in 4000-4100. That means exposure usually requires east-west or segmented network access, not just a public web endpoint.
Disclosure / reporterApache made the issue public on 2022-05-10 and says it was reported by 4ra1n on 2022-04-17.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.8/10)

The decisive factor is attacker position: this is not a normal web-facing Tomcat bug, it is a niche clustering issue that generally requires access to the internal cluster plane. Once you account for that exposure narrowing, plus availability-only impact and weak evidence of real-world abuse, this falls into backlog hygiene rather than emergency patching.

HIGH Affected upstream version range and upstream fix version
HIGH Applicability requires Tomcat clustering / cluster-plane reachability
MEDIUM Absence of meaningful in-the-wild exploitation evidence in reviewed sources

Why this verdict

  • Downward pressure: requires the cluster plane, not just the web app. CVSS treats this like any network-reachable service, but the real prerequisite is access to Tomcat Tribes clustering traffic, typically on internal-only paths.
  • Downward pressure: version-only detections massively overcount. Nessus flags every 9.0.13-9.0.62 install, but many of those hosts do not run clustering at all, and many clustered hosts do not expose cluster traffic across untrusted networks.
  • Downward pressure: availability-only impact. This is a DoS scenario, not pre-auth RCE, not auth bypass, and not a broad confidentiality/integrity failure.
  • Downward pressure: niche deployment assumption. The vulnerable condition is effectively 'you believed EncryptInterceptor made hostile-network clustering safe'—that is a rare architecture decision in mature enterprises.

Why not higher?

It is not higher because the exploit chain assumes internal or otherwise special network access to a Tomcat cluster channel that many enterprises never expose. On top of that, the impact is service disruption rather than durable compromise, and the reviewed sources do not show KEV status or broad active exploitation.

Why not lower?

It is not IGNORE because there is still a real class of deployments that used EncryptInterceptor as a security boundary and may have stretched clustering over networks they should not trust. If you have internet-routable or inter-zone-reachable Tribes traffic, the issue becomes operationally relevant even if it is still not an emergency-tier bug.

05 · Compensating Control

What to do — in priority order.

  1. Block cluster ports at boundaries — Deny Tomcat Tribes membership and receiver traffic across untrusted or unnecessary segments, especially multicast 228.0.0.4:45564 and receiver ports in 4000-4100. For a LOW verdict there is no noisgate mitigation SLA; do this as normal hardening/backlog hygiene.
  2. Audit for clustering before patching blindly — Confirm whether affected hosts actually use <Cluster> and EncryptInterceptor in server.xml before spending patch labor. For a LOW verdict, treat this as inventory cleanup and applicability triage during regular operations.
  3. Collapse unnecessary east-west reachability — If app teams do not need session replication, remove or disable clustering and close the receiver path entirely. For this severity, fold the change into standard network and platform hygiene work rather than emergency maintenance.
  4. Prefer trusted transport for any remaining cluster links — Where clustering must cross zones, move the trust boundary to VPN or tightly controlled network segmentation rather than assuming EncryptInterceptor alone is enough. Again, LOW means no deadline-driven emergency action unless your own architecture is unusually exposed.
What doesn't work
  • WAF on the HTTP front door does not solve this, because the interesting traffic is on the cluster plane, not normal app requests.
  • EncryptInterceptor by itself does not solve the problem; the CVE exists precisely because its protection was overstated for untrusted networks.
  • A version-only scanner hit does not prove exposure. If clustering is off or the cluster receiver is fenced, the practical risk is much lower than the plugin implies.
06 · Verification

Crowdsourced verification payload.

Run this on the target Tomcat host as a user that can read the Tomcat install and conf/server.xml; root is only needed if permissions are locked down. Save as check_tomcat_cve_2022_29885.sh and run bash check_tomcat_cve_2022_29885.sh /opt/tomcat or point it at CATALINA_BASE.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_tomcat_cve_2022_29885.sh
# Detect likely applicability of CVE-2022-29885 on Apache Tomcat 9.x
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

INPUT_BASE="${1:-}"

find_base() {
  local candidates=()
  if [[ -n "$INPUT_BASE" ]]; then candidates+=("$INPUT_BASE"); fi
  [[ -n "${CATALINA_BASE:-}" ]] && candidates+=("$CATALINA_BASE")
  [[ -n "${CATALINA_HOME:-}" ]] && candidates+=("$CATALINA_HOME")
  candidates+=(/opt/tomcat /usr/share/tomcat /usr/share/tomcat9 /var/lib/tomcat9 /opt/apache-tomcat* /usr/local/tomcat)

  for c in "${candidates[@]}"; do
    for path in $c; do
      [[ -d "$path" ]] || continue
      if [[ -f "$path/conf/server.xml" || -x "$path/bin/catalina.sh" || -x "$path/bin/version.sh" ]]; then
        echo "$path"
        return 0
      fi
    done
  done
  return 1
}

get_version() {
  local base="$1"
  local out=""

  if [[ -x "$base/bin/version.sh" ]]; then
    out=$("$base/bin/version.sh" 2>/dev/null | tr -d '\r')
  elif [[ -x "$base/bin/catalina.sh" ]]; then
    out=$("$base/bin/catalina.sh" version 2>/dev/null | tr -d '\r')
  fi

  if [[ -n "$out" ]]; then
    echo "$out" | sed -nE 's/.*Server number:[[:space:]]*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' | head -n1
    return 0
  fi

  # Fallback: parse RELEASE-NOTES or manifest-ish text if present
  for f in "$base/RELEASE-NOTES" "$base/RUNNING.txt" "$base/lib/catalina.jar"; do
    [[ -e "$f" ]] || continue
    strings "$f" 2>/dev/null | sed -nE 's/.*Apache Tomcat Version[[:space:]]*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' | head -n1
    return 0
  done

  return 1
}

ver_lt() {
  [[ "$1" == "$2" ]] && return 1
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

ver_ge() {
  [[ "$1" == "$2" ]] && return 0
  ! ver_lt "$1" "$2"
}

BASE=$(find_base) || {
  echo "UNKNOWN: could not locate Tomcat base/home"
  exit 2
}

VERSION=$(get_version "$BASE")
if [[ -z "${VERSION:-}" ]]; then
  echo "UNKNOWN: could not determine Tomcat version under $BASE"
  exit 2
fi

SERVER_XML="$BASE/conf/server.xml"
if [[ ! -f "$SERVER_XML" ]]; then
  # Try common distro split-path location
  if [[ -f "/etc/tomcat9/server.xml" ]]; then
    SERVER_XML="/etc/tomcat9/server.xml"
  else
    echo "UNKNOWN: version $VERSION found but server.xml not readable"
    exit 2
  fi
fi

# Plugin scope in question is Tomcat 9.0.13 < 9.0.63
if ver_lt "$VERSION" "9.0.13" || ver_ge "$VERSION" "9.0.63"; then
  echo "PATCHED: Tomcat version $VERSION is outside the affected 9.0.13-9.0.62 range"
  exit 0
fi

CLUSTER_ENABLED=0
ENCRYPT_INTERCEPTOR=0
RECEIVER_PRESENT=0
MEMBERSHIP_PRESENT=0

grep -Eq '<Cluster[[:space:]>]' "$SERVER_XML" && CLUSTER_ENABLED=1
grep -Eq 'EncryptInterceptor' "$SERVER_XML" && ENCRYPT_INTERCEPTOR=1
grep -Eq '<Receiver[[:space:]>]' "$SERVER_XML" && RECEIVER_PRESENT=1
grep -Eq '<Membership[[:space:]>]' "$SERVER_XML" && MEMBERSHIP_PRESENT=1

if [[ $CLUSTER_ENABLED -eq 1 && $ENCRYPT_INTERCEPTOR -eq 1 ]]; then
  echo "VULNERABLE: Tomcat $VERSION is in range and server.xml shows Cluster + EncryptInterceptor (review trust boundaries to cluster ports)"
  exit 1
fi

if [[ $CLUSTER_ENABLED -eq 1 ]]; then
  echo "UNKNOWN: Tomcat $VERSION is in range and clustering is enabled, but EncryptInterceptor was not found in readable config"
  exit 2
fi

echo "UNKNOWN: Tomcat $VERSION is in range, but clustering/EncryptInterceptor were not found in readable config; version-only scanner hit may be non-applicable"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not mass-escalate this plugin just because Nessus says Tomcat < 9.0.63. First, identify which hits are actually clustered Tomcat nodes using EncryptInterceptor and whether their Tribes ports are reachable across untrusted or unnecessary segments; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat as backlog hygiene. If you do find cluster-plane exposure, close that network path in the next normal hardening cycle and patch Tomcat during routine maintenance rather than burning an emergency window.

Sources

  1. Tenable plugin 160894
  2. Apache Tomcat 9 security page
  3. Apache Tomcat 9 changelog
  4. NVD CVE-2022-29885
  5. Tomcat clustering how-to
  6. CISA vulnerability bulletin SB22-136
  7. Ubuntu CVE page for CVE-2022-29885
  8. Debian security tracker for CVE-2022-29885
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.