806050 – tomcat5 vulnerable to session fixation attack

Bug 806050 - tomcat5 vulnerable to session fixation attack [NEEDINFO]

Summary: tomcat5 vulnerable to session fixation attack

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	tomcat5
Sub Component:
Version:	5.9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	David Knox
QA Contact:	tomcat-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-22 18:23 UTC by Jason Woodrich
Modified:	2018-11-27 20:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-02 13:01:52 UTC
Target Upstream Version:
Dependent Products:
Flags:	pm-rhel: needinfo? (jwoodrich)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jason Woodrich 2012-03-22 18:23:40 UTC

Description of problem:

Tomcat prior to 5.5.29 is vulnerable to session fixation attacks. In Tomcat 5.5.29 Apache introduced a property in context.xml for authenticators called changeSessionIdOnAuthentication that, when enabled, causes authenticators extending the AuthenticatorBase to change the session ID upon successful authentication. This issue is detailed in https://issues.apache.org/bugzilla/show_bug.cgi?id=45255. I'm requesting that this fix be provided in the version of Tomcat 5 that is bundled with RHEL 5.

Version-Release number of selected component (if applicable):

tomcat5-5.5.23-0jpp.19.el5_6, tomcat5-5.5.23-0jpp.22.el5_7

How reproducible:

Consistently easy.

Steps to Reproduce:
1. On computer A: Using Firefox and the Live HTTP Headers plugin access a website on your Tomcat 5.5.23 server that uses some form of access control.
2. On computer A: Look for a cookie in Live HTTP Headers for JSESSSIONID and copy the value of that cookie.
3. On computer B: Open Firefox with the Advanced Cookie Manager plugin. Add a cookie for that site (Tools->Cookie Manager, click Add Cookie) for JSESSIONID with the same value identified from Live HTTP Headers.
4. On Computer B: Access a protected URL for that site on your Tomcat 5.5.23 server.

Actual results:

User on computer B can freely use the site as if they were the user on computer A.

Expected results:

Upon successful authentication Tomcat would generate a new session ID, thereby blocking any attempt to set a fixed session by an attacker.

Additional info:

Comment 4 RHEL Program Management 2013-05-01 06:39:08 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 5 RHEL Program Management 2014-03-07 12:13:19 UTC

Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.

Comment 6 RHEL Program Management 2014-06-02 13:01:52 UTC

Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.