Bug 1311085 – CVE-2015-5346 tomcat: Session fixation

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1311085 - (CVE-2015-5346) CVE-2015-5346 tomcat: Session fixation

Summary:	CVE-2015-5346 tomcat: Session fixation

Status:	NEW

Aliases:	CVE-2015-5346

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160222,reported=2...
Keywords:	Security

Depends On:	1311095 1311102 1316022 1316023 1322794 1322795 1347138 1347139 1352009 1381946
Blocks:	1311109 1318206 1382592
	Show dependency tree / graph

Reported:	2016-02-23 06:01 EST by Timothy Walsh
Modified:	2018-08-27 17:29 EDT (History)
CC List:	72 users (show)

See Also:
Fixed In Version:	tomcat 7.0.67, tomcat 8.0.32
Doc Type:	Bug Fix
Doc Text:	A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1087	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 update	2016-05-17 16:31:38 EDT
Red Hat Product Errata	RHSA-2016:1088	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 update	2016-05-17 16:30:35 EDT
Red Hat Product Errata	RHSA-2016:1089	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 security update	2016-05-17 16:12:21 EDT
Red Hat Product Errata	RHSA-2016:2046	normal	SHIPPED_LIVE	Important: tomcat security update	2016-10-10 20:38:43 EDT
Red Hat Product Errata	RHSA-2016:2807	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7	2016-11-17 21:53:13 EST
Red Hat Product Errata	RHSA-2016:2808	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7	2016-11-17 22:03:17 EST

Groups: None (edit)

Description Timothy Walsh 2016-02-23 06:01:42 EST

When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration.

Comment 1 Andrej Nemec 2016-02-23 06:35:17 EST

External references:

http://seclists.org/bugtraq/2016/Feb/143

Comment 2 Andrej Nemec 2016-02-23 07:02:43 EST

Upstream patches:

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1713187

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1713185
http://svn.apache.org/viewvc?view=revision&revision=1723506

Comment 6 errata-xmlrpc 2016-05-17 12:15:29 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html

Comment 7 errata-xmlrpc 2016-05-17 12:32:16 EDT

This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088

Comment 8 errata-xmlrpc 2016-05-17 12:33:32 EDT

This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087

Comment 12 Fedora Update System 2016-09-01 12:19:08 EDT

tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2016-09-02 05:21:02 EDT

tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 errata-xmlrpc 2016-10-10 16:39:57 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html

Comment 17 errata-xmlrpc 2016-11-17 15:34:01 EST

This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html

Comment 18 errata-xmlrpc 2016-11-17 15:37:47 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
alee
anemec
asantos
bbaranow
bdawidow
bmaxwell
brms-jira
ccoleman
cdewolf
chazlett
coolsvap
csutherl
dandread
darran.lofthouse
dknox
dmcphers
epp-bugs
etirelli
fnasser
gvarsami
huwang
ivan.afonichev
jason.greene
java-sig-commits
jawilson
jboss-set
jbpapp-maint
jclere
jcoleman
jdg-bugs
jdoyle
jialiu
joelsmith
jokerman
jpallich
jshepherd
kconner
krzysztof.daniel
ldimaggi
lgao
lmeyer
lpetrovi
mbabacek
mbaluch
miburman
mmccomas
mpoole
mweiler
mwinkler
myarboro
nwallace
pcheung
pgier
psakar
pslavice
rnetuka
rrajasek
rsvoboda
rwagner
rzhang
soa-p-jira
spinder
tcunning
theute
tkirby
ttarrant
twalsh
vtunka
weli
yozone