#VU87535 Session Fixation in Apache Tomcat
Vulnerability identifier: #VU87535
Vulnerability risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-384
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Tomcat
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to compromise accounts of other users.
The vulnerability exists due to an insecure way of handling sessions. A remote attacker can leverage the requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java and hijack web sessions of web application users.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Tomcat: 9.0.0-M1, 8.0.0 - 8.0.29, 7.0.0 - 7.0.65
External links
http://svn.apache.org/viewvc?view=revision&revision=1713185
http://bz.apache.org/bugzilla/show_bug.cgi?id=58809
http://svn.apache.org/viewvc?view=revision&revision=1713184
http://svn.apache.org/viewvc?view=revision&revision=1713187
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://svn.apache.org/viewvc?view=revision&revision=1723414
http://tomcat.apache.org/security-7.html
http://svn.apache.org/viewvc?view=revision&revision=1723506
http://seclists.org/bugtraq/2016/Feb/143
http://www.debian.org/security/2016/dsa-3530
http://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
http://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.debian.org/security/2016/dsa-3552
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://rhn.redhat.com/errata/RHSA-2016-2046.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
http://www.securityfocus.com/bid/83323
http://access.redhat.com/errata/RHSA-2016:1087
http://rhn.redhat.com/errata/RHSA-2016-1089.html
http://access.redhat.com/errata/RHSA-2016:1088
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://bto.bluecoat.com/security-advisory/sa118
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://www.securitytracker.com/id/1035069
http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
http://security.gentoo.org/glsa/201705-09
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://security.netapp.com/advisory/ntap-20180531-0001/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
