Bug 1311085 (CVE-2015-5346)
| Summary: | CVE-2015-5346 tomcat: Session fixation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Timothy Walsh <twalsh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aileenc, alazarot, alee, asantos, bbaranow, bdawidow, bmaxwell, brms-jira, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dknox, dmcphers, epp-bugs, etirelli, fnasser, gvarsami, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, joelsmith, jokerman, jpallich, jshepherd, kconner, krzysztof.daniel, ldimaggi, lgao, lmeyer, lpetrovi, mbabacek, mbaluch, miburman, mmccomas, mpoole, mweiler, mwinkler, myarboro, nwallace, pcheung, pgier, psakar, pslavice, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vtunka, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 7.0.67, tomcat 8.0.32 | Doc Type: | Bug Fix |
| Doc Text: |
A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:48:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1311095, 1311102, 1316022, 1316023, 1322794, 1322795, 1347138, 1347139, 1352009, 1381946 | ||
| Bug Blocks: | 1311109, 1318206, 1382592 | ||
|
Description
Timothy Walsh
2016-02-23 11:01:42 UTC
External references: http://seclists.org/bugtraq/2016/Feb/143 Upstream patches: Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1713187 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1713185 http://svn.apache.org/viewvc?view=revision&revision=1723506 This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088 This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087 tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html |