When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. Reference: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html Upstream commits: https://github.com/apache/tomcat/commit/ab72a10 https://github.com/apache/tomcat/commit/e19a202 https://github.com/apache/tomcat/commit/1ecba14
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1785712] Affects: fedora-all [bug 1785713]
External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.50 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99 http://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3C21b7a375-7297-581b-1f8e-06622d36775b@apache.org%3E
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:0860 https://access.redhat.com/errata/RHSA-2020:0860
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:0861 https://access.redhat.com/errata/RHSA-2020:0861
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17563
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4004 https://access.redhat.com/errata/RHSA-2020:4004
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0882 https://access.redhat.com/errata/RHSA-2021:0882
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:1030 https://access.redhat.com/errata/RHSA-2021:1030