Bug 961779 (CVE-2013-2067)
| Summary: | CVE-2013-2067 tomcat: Session fixation in form authenticator | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | akurtako, djorm, dknox, ivan.afonichev, java-sig-commits, jdoyle, jrusnack, kdaniel, lgao, pslavice, rsvoboda, sochotni, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Apache Tomcat 6.0.37, Apache Tomcat 7.0.33 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-16 17:32:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 961807, 962715, 962717, 962719, 962720, 962723, 963007 | ||
| Bug Blocks: | 959037, 961808, 970481 | ||
|
Description
Jan Lieskovsky
2013-05-10 11:23:51 UTC
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch). -- This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update. Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 961807] Upstream has made clear the following information: Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable. Tomcat 5.5.x >= 5.5.29 also includes the option to change session ID on authentication, as noted in the original request for this feature: https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Red Hat Enterprise Linux 5 provides Tomcat 5.5.23, which does not include this option, and therefore is not affected by this flaw. Statement: This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw. This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html JBEAP 6 for RHEL 6 Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html JBEAP 6 for RHEL 5 Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0964 https://rhn.redhat.com/errata/RHSA-2013-0964.html This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html This issue has been addressed in following products: Red Hat JBoss Web Server 2.0.1 Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html |