Bug 961779 (CVE-2013-2067) - CVE-2013-2067 tomcat: Session fixation in form authenticator
Summary: CVE-2013-2067 tomcat: Session fixation in form authenticator
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2067
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 961807 962715 962717 962719 962720 962723 963007
Blocks: 959037 961808 970481
TreeView+ depends on / blocked
 
Reported: 2013-05-10 11:23 UTC by Jan Lieskovsky
Modified: 2021-02-17 07:43 UTC (History)
13 users (show)

Fixed In Version: Apache Tomcat 6.0.37, Apache Tomcat 7.0.33
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-16 17:32:17 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0964 0 normal SHIPPED_LIVE Moderate: tomcat6 security update 2013-06-20 18:41:08 UTC
Red Hat Product Errata RHSA-2013:1011 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 19:47:30 UTC
Red Hat Product Errata RHSA-2013:1012 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 19:47:16 UTC
Red Hat Product Errata RHSA-2013:1013 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 20:18:21 UTC
Red Hat Product Errata RHSA-2013:1437 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.1.0 update 2013-10-16 20:53:32 UTC

Description Jan Lieskovsky 2013-05-10 11:23:51 UTC
A session fixation flaw was found in the way FormAuthenticator module of Apache Tomcat, an Apache Servlet/JSP Engine, performed authentication requests management in certain circumstances (the most recent authentication request was associated with current user's session). An attacker could use this flaw to inject (and possibly successfully to complete) an authentication request, that would be executed using the credentials of the victim.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1417891
* for Apache Tomcat 7.x:
  http://svn.apache.org/viewvc?view=rev&rev=1408044

Comment 1 Jan Lieskovsky 2013-05-10 12:56:32 UTC
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch).

--

This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update.

Comment 2 Jan Lieskovsky 2013-05-10 13:04:20 UTC
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 961807]

Comment 3 Vincent Danen 2013-05-13 15:06:44 UTC
Upstream has made clear the following information:

Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable.

Comment 4 David Jorm 2013-05-14 06:22:34 UTC
Tomcat 5.5.x >= 5.5.29 also includes the option to change session ID on authentication, as noted in the original request for this feature:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45255

Red Hat Enterprise Linux 5 provides Tomcat 5.5.23, which does not include this option, and therefore is not affected by this flaw.

Comment 9 David Jorm 2013-05-16 23:56:46 UTC
Statement:

This flaw allows an attacker to circumvent a session fixation prevention mechanism which was implemented in tomcat 5.5.x >= 5.5.29, 6.0.x >= 6.0.21 and 7.x. Earlier versions of tomcat do not include this mechanism, and are therefore not affected by this flaw. JBoss Web as included in JBoss 5.x products also does not include this mechanism, and is not affected by this flaw.

Comment 10 David Jorm 2013-06-10 23:20:38 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html

Comment 13 errata-xmlrpc 2013-06-20 14:41:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0964 https://rhn.redhat.com/errata/RHSA-2013-0964.html

Comment 14 errata-xmlrpc 2013-07-03 15:49:37 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html

Comment 15 errata-xmlrpc 2013-07-03 15:51:26 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html

Comment 16 errata-xmlrpc 2013-07-03 16:22:38 UTC
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html

Comment 17 errata-xmlrpc 2013-10-16 16:56:59 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html


Note You need to log in before you can comment on or make changes to this bug.