Bug 961779 - (CVE-2013-2067) CVE-2013-2067 tomcat: Session fixation in form authenticator
CVE-2013-2067 tomcat: Session fixation in form authenticator
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130510,repor...
: Security
Depends On: 961807 962715 962717 962719 962720 962723 963007
Blocks: 959037 961808 970481
  Show dependency treegraph
 
Reported: 2013-05-10 07:23 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:12 EST (History)
13 users (show)

See Also:
Fixed In Version: Apache Tomcat 6.0.37, Apache Tomcat 7.0.33
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-16 13:32:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-05-10 07:23:51 EDT
A session fixation flaw was found in the way FormAuthenticator module of Apache Tomcat, an Apache Servlet/JSP Engine, performed authentication requests management in certain circumstances (the most recent authentication request was associated with current user's session). An attacker could use this flaw to inject (and possibly successfully to complete) an authentication request, that would be executed using the credentials of the victim.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1417891
* for Apache Tomcat 7.x:
  http://svn.apache.org/viewvc?view=rev&rev=1408044
Comment 1 Jan Lieskovsky 2013-05-10 08:56:32 EDT
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch).

--

This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-05-10 09:04:20 EDT
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 961807]
Comment 3 Vincent Danen 2013-05-13 11:06:44 EDT
Upstream has made clear the following information:

Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable.
Comment 4 David Jorm 2013-05-14 02:22:34 EDT
Tomcat 5.5.x >= 5.5.29 also includes the option to change session ID on authentication, as noted in the original request for this feature:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Red Hat Enterprise Linux 5 provides Tomcat 5.5.23, which does not include this option, and therefore is not affected by this flaw.
Comment 9 David Jorm 2013-05-16 19:56:46 EDT
Statement:

This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.
Comment 10 David Jorm 2013-06-10 19:20:38 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
Comment 13 errata-xmlrpc 2013-06-20 10:41:33 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0964 https://rhn.redhat.com/errata/RHSA-2013-0964.html
Comment 14 errata-xmlrpc 2013-07-03 11:49:37 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html
Comment 15 errata-xmlrpc 2013-07-03 11:51:26 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html
Comment 16 errata-xmlrpc 2013-07-03 12:22:38 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html
Comment 17 errata-xmlrpc 2013-10-16 12:56:59 EDT
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html

Note You need to log in before you can comment on or make changes to this bug.