Bug 1311085 (CVE-2015-5346) - CVE-2015-5346 tomcat: Session fixation
Summary: CVE-2015-5346 tomcat: Session fixation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5346
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1311095 1311102 1316022 1316023 1322794 1322795 1347138 1347139 1352009 1381946
Blocks: 1311109 1318206 1382592
TreeView+ depends on / blocked
 
Reported: 2016-02-23 11:01 UTC by Timothy Walsh
Modified: 2021-02-17 04:19 UTC (History)
71 users (show)

Fixed In Version: tomcat 7.0.67, tomcat 8.0.32
Doc Type: Bug Fix
Doc Text:
A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:48:37 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1087 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:31:38 UTC
Red Hat Product Errata RHSA-2016:1088 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:30:35 UTC
Red Hat Product Errata RHSA-2016:1089 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 security update 2016-05-17 20:12:21 UTC
Red Hat Product Errata RHSA-2016:2046 0 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC
Red Hat Product Errata RHSA-2016:2807 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 02:53:13 UTC
Red Hat Product Errata RHSA-2016:2808 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 03:03:17 UTC

Description Timothy Walsh 2016-02-23 11:01:42 UTC 
When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration.
Comment 1 Andrej Nemec 2016-02-23 11:35:17 UTC 
External references:

http://seclists.org/bugtraq/2016/Feb/143
Comment 2 Andrej Nemec 2016-02-23 12:02:43 UTC 
Upstream patches:

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1713187

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1713185
http://svn.apache.org/viewvc?view=revision&revision=1723506
Comment 6 errata-xmlrpc 2016-05-17 16:15:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Comment 7 errata-xmlrpc 2016-05-17 16:32:16 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
Comment 8 errata-xmlrpc 2016-05-17 16:33:32 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
Comment 12 Fedora Update System 2016-09-01 16:19:08 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2016-09-02 09:21:02 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 errata-xmlrpc 2016-10-10 20:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
Comment 17 errata-xmlrpc 2016-11-17 20:34:01 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
Comment 18 errata-xmlrpc 2016-11-17 20:37:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html
Note You need to log in before you can comment on or make changes to this bug.