A session fixation flaw was found in the way FormAuthenticator module of Apache Tomcat, an Apache Servlet/JSP Engine, performed authentication requests management in certain circumstances (the most recent authentication request was associated with current user's session). An attacker could use this flaw to inject (and possibly successfully to complete) an authentication request, that would be executed using the credentials of the victim. Relevant upstream patch: * for Apache Tomcat 6.x: http://svn.apache.org/viewvc?view=revision&revision=1417891 * for Apache Tomcat 7.x: http://svn.apache.org/viewvc?view=rev&rev=1408044
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch). -- This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 961807]
Upstream has made clear the following information: Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable.
Tomcat 5.5.x >= 5.5.29 also includes the option to change session ID on authentication, as noted in the original request for this feature: https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 Red Hat Enterprise Linux 5 provides Tomcat 5.5.23, which does not include this option, and therefore is not affected by this flaw.
Statement: This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html JBEAP 6 for RHEL 6 Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html JBEAP 6 for RHEL 5 Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0964 https://rhn.redhat.com/errata/RHSA-2013-0964.html
This issue has been addressed in following products: JBEWS 2 for RHEL 6 Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html
This issue has been addressed in following products: Red Hat JBoss Web Server 2.0.1 Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html