The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Source: Tomcat security pages. [1,2] [1] http://tomcat.apache.org/security-6.html [2] http://tomcat.apache.org/security-7.html
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
The CSRF prevention filter was introduced in tomcat 6.0.30, as noted in the changelog: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Red Hat Enterprise Linux 6 ships tomcat 6.0.24, and does not include the CSRF prevention filter. Therefore it is not affected by this flaw.
External References: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.32 Statement: This issue did not affect the versions of tomcat5 as shipped with Red Hat Enterprise Linux 5 and tomcat6 as shipped with Red Hat Enterprise Linux 6 as they did not include the CSRF prevention filter.
This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0265 https://rhn.redhat.com/errata/RHSA-2013-0265.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0268 https://rhn.redhat.com/errata/RHSA-2013-0268.html
This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0267 https://rhn.redhat.com/errata/RHSA-2013-0267.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0266 https://rhn.redhat.com/errata/RHSA-2013-0266.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2013:0648 https://rhn.redhat.com/errata/RHSA-2013-0648.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 JBEAP 6 for RHEL 6 Via RHSA-2013:0647 https://rhn.redhat.com/errata/RHSA-2013-0647.html
This issue has been addressed in following products: JBoss Data Grid 6.1.0 Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.0 Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html