When the session tracking method is set to 'COOKIE' only, the org.apache.catalina.connector.Response.encodeURL() method will still return the url with the jsessionid appended as a query string parameter when processing the first request of a session. This is unexpected when sessions are only tracked using cookies. As a result, the jsessionid could be leaked in a way not anticipated by the application developer. An attacker could potentially exploit this using a man-in-the-middle attack, or extracting the jsessionid from log files. A fix has been committed upstream on the 7.2.x branch as a commit for JBWEB-249 [1] and is committed as revision 2106 [2]. A possible mitigation for this would be to use SSL encryption as this would reduce the risk of a man-in-the-middle attack. There are two possible workarounds that may be used. Both work by re-writing the url. The first is to use filters as described at [3]. The other option is to use rewrite valves, similar to the method outlined at [4]. Note that there is a change in rewrite syntax for JBoss Web 7.x as detailed at [5]. [1] https://issues.jboss.org/browse/JBWEB-249 [2] https://source.jboss.org/browse/JBossWeb/branches/7.2.x/src/main/java/org/apache/catalina/connector/Response.java?r2=2106&r1=2086 [3] https://access.redhat.com/knowledge/solutions/16169 [4] https://access.redhat.com/knowledge/solutions/64778 [5] http://docs.jboss.org/jbossweb/7.0.x/rewrite.html
This flaw only affects JBoss Web, not tomcat. The relevant feature is part of the Servlet 3.0 specification, which is not supported in tomcat 5 and 6. tomcat 7 is not vulnerable to this flaw.
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.1.0 Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html