lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56CAEF96.7070701@apache.org>
Date: Mon, 22 Feb 2016 11:23:02 +0000
From: Mark Thomas <markt@...che.org>
To: "users@...cat.apache.org" <users@...cat.apache.org>
Cc: "announce@...cat.apache.org" <announce@...cat.apache.org>,
  announce@...che.org, "dev@...cat.apache.org" <dev@...cat.apache.org>,
  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2015-5346 Apache Tomcat Session fixation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2015-5346 Apache Tomcat Session fixation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1

Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
  (7.0.66 has the fix but was not released)


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc
nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD
9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2
qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav
ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI
7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI
c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z
hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9
eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI
egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf
x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM
cAK/Ln4UhXIcIM1f7h5M
=is2n
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ