Bug 806050 - tomcat5 vulnerable to session fixation attack [NEEDINFO]
tomcat5 vulnerable to session fixation attack
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: tomcat5 (Show other bugs)
5.9
All Linux
medium Severity medium
: rc
: ---
Assigned To: David Knox
tomcat-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-22 14:23 EDT by Jason Woodrich
Modified: 2015-11-01 19:17 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 09:01:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pm-rhel: needinfo? (jwoodrich)


Attachments (Terms of Use)

  None (edit)
Description Jason Woodrich 2012-03-22 14:23:40 EDT
Description of problem:

Tomcat prior to 5.5.29 is vulnerable to session fixation attacks.  In Tomcat 5.5.29 Apache introduced a property in context.xml for authenticators called changeSessionIdOnAuthentication that, when enabled, causes authenticators extending the AuthenticatorBase to change the session ID upon successful authentication.  This issue is detailed in https://issues.apache.org/bugzilla/show_bug.cgi?id=45255.  I'm requesting that this fix be provided in the version of Tomcat 5 that is bundled with RHEL 5.

Version-Release number of selected component (if applicable):

tomcat5-5.5.23-0jpp.19.el5_6, tomcat5-5.5.23-0jpp.22.el5_7

How reproducible:

Consistently easy.

Steps to Reproduce:
1. On computer A: Using Firefox and the Live HTTP Headers plugin access a website on your Tomcat 5.5.23 server that uses some form of access control.
2. On computer A: Look for a cookie in Live HTTP Headers for JSESSSIONID and copy the value of that cookie.
3. On computer B: Open Firefox with the Advanced Cookie Manager plugin.  Add a cookie for that site (Tools->Cookie Manager, click Add Cookie) for JSESSIONID with the same value identified from Live HTTP Headers.
4. On Computer B: Access a protected URL for that site on your Tomcat 5.5.23 server.
  
Actual results:

User on computer B can freely use the site as if they were the user on computer A.

Expected results:

Upon successful authentication Tomcat would generate a new session ID, thereby blocking any attempt to set a fixed session by an attacker.

Additional info:
Comment 4 RHEL Product and Program Management 2013-05-01 02:39:08 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 5 RHEL Product and Program Management 2014-03-07 07:13:19 EST
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.
Comment 6 RHEL Product and Program Management 2014-06-02 09:01:52 EDT
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.