Red Hat Bugzilla – Bug 429821
CVE-2008-0128 tomcat5 SSO cookie login information disclosure
Last modified: 2012-06-06 01:56:50 EDT
Description of problem:
"""When using the SingleSignOn Valve
(org.apache.catalina.authenticator.SingleSignOn) via https the Cookie
JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it
being transmitted to any content that is - by purpose or error - requested via
http from the same server.
As the content of the SSO-Cookie is confidential (it will lead to automatically
logged in sessions in other contexts - https or non-https) this should never
Also according to the asf bz the upstream versions before 5.5.21 are vulnerable.
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html