Bug 806050

Summary: tomcat5 vulnerable to session fixation attack
Product: Red Hat Enterprise Linux 5 Reporter: Jason Woodrich <jwoodrich>
Component: tomcat5Assignee: David Knox <dknox>
Status: CLOSED WONTFIX QA Contact: tomcat-qe
Severity: medium Docs Contact:
Priority: medium    
Version: 5.9CC: jclere, jpechane, jwoodrich, ngupta
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:01:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Woodrich 2012-03-22 18:23:40 UTC 
Description of problem:

Tomcat prior to 5.5.29 is vulnerable to session fixation attacks.  In Tomcat 5.5.29 Apache introduced a property in context.xml for authenticators called changeSessionIdOnAuthentication that, when enabled, causes authenticators extending the AuthenticatorBase to change the session ID upon successful authentication.  This issue is detailed in https://issues.apache.org/bugzilla/show_bug.cgi?id=45255.  I'm requesting that this fix be provided in the version of Tomcat 5 that is bundled with RHEL 5.

Version-Release number of selected component (if applicable):

tomcat5-5.5.23-0jpp.19.el5_6, tomcat5-5.5.23-0jpp.22.el5_7

How reproducible:

Consistently easy.

Steps to Reproduce:
1. On computer A: Using Firefox and the Live HTTP Headers plugin access a website on your Tomcat 5.5.23 server that uses some form of access control.
2. On computer A: Look for a cookie in Live HTTP Headers for JSESSSIONID and copy the value of that cookie.
3. On computer B: Open Firefox with the Advanced Cookie Manager plugin.  Add a cookie for that site (Tools->Cookie Manager, click Add Cookie) for JSESSIONID with the same value identified from Live HTTP Headers.
4. On Computer B: Access a protected URL for that site on your Tomcat 5.5.23 server.
  
Actual results:

User on computer B can freely use the site as if they were the user on computer A.

Expected results:

Upon successful authentication Tomcat would generate a new session ID, thereby blocking any attempt to set a fixed session by an attacker.

Additional info:
Comment 4 RHEL Program Management 2013-05-01 06:39:08 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 5 RHEL Program Management 2014-03-07 12:13:19 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.
Comment 6 RHEL Program Management 2014-06-02 13:01:52 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 7 Red Hat Bugzilla 2023-09-14 01:28:10 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days