Bug 868202 (CVE-2012-4529) - CVE-2012-4529 JBoss Web: jsessionid exposed via encoded url when using cookie based session tracking
Summary: CVE-2012-4529 JBoss Web: jsessionid exposed via encoded url when using cookie...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4529
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 868788 868789 868790 901087 965333
Blocks: 868779 920007 970481
TreeView+ depends on / blocked
 
Reported: 2012-10-19 09:18 UTC by Arun Babu Neelicattu
Modified: 2019-09-29 12:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-17 01:37:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10242 Major Closed CVE-2012-4529 JBoss Web: Fix required for EAP 6 2018-11-10 10:45:11 UTC
Red Hat Product Errata RHSA-2013:0833 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 18:31:18 UTC
Red Hat Product Errata RHSA-2013:0834 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:19:13 UTC
Red Hat Product Errata RHSA-2013:0839 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 23:18:52 UTC
Red Hat Product Errata RHSA-2013:1437 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC

Description Arun Babu Neelicattu 2012-10-19 09:18:17 UTC
When the session tracking method is set to 'COOKIE' only, the org.apache.catalina.connector.Response.encodeURL() method will still return the url with the jsessionid appended as a query string parameter when processing the first request of a session. This is unexpected when sessions are only tracked using cookies. As a result, the jsessionid could be leaked in a way not anticipated by the application developer. An attacker could potentially exploit this using a man-in-the-middle attack, or extracting the jsessionid from log files.

A fix has been committed upstream on the 7.2.x branch as a commit for JBWEB-249 [1] and is committed as revision 2106 [2].

A possible mitigation for this would be to use SSL encryption as this would reduce the risk of a man-in-the-middle attack.

There are two possible workarounds that may be used. Both work by re-writing the url. The first is to use filters as described at [3]. The other option is to use rewrite valves, similar to the method outlined at [4]. Note that there is a change in rewrite syntax for JBoss Web 7.x as detailed at [5].

[1] https://issues.jboss.org/browse/JBWEB-249
[2] https://source.jboss.org/browse/JBossWeb/branches/7.2.x/src/main/java/org/apache/catalina/connector/Response.java?r2=2106&r1=2086
[3] https://access.redhat.com/knowledge/solutions/16169
[4] https://access.redhat.com/knowledge/solutions/64778
[5] http://docs.jboss.org/jbossweb/7.0.x/rewrite.html

Comment 10 David Jorm 2012-10-31 05:31:35 UTC
This flaw only affects JBoss Web, not tomcat. The relevant feature is part of the Servlet 3.0 specification, which is not supported in tomcat 5 and 6. tomcat 7 is not vulnerable to this flaw.

Comment 11 errata-xmlrpc 2013-05-20 14:31:53 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

Comment 12 errata-xmlrpc 2013-05-20 15:25:31 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html

Comment 13 errata-xmlrpc 2013-05-20 15:40:00 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html

Comment 16 errata-xmlrpc 2013-10-16 16:55:30 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html


Note You need to log in before you can comment on or make changes to this bug.