When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. Apache Tomcat versions 7.0.5 through 7.0.65, 8.0.0.RC1 through 8.0.30, and 9.0.0.M1 are affected.
f04a5470641204db89ec17e9b80c496ffce8bd8aae7f2efd4bc0229158a89b21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2015-5346 Apache Tomcat Session fixation
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
(9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
(7.0.66 has the fix but was not released)
Credit:
This issue was discovered by the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc
nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD
9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2
qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav
ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI
7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI
c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z
hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9
eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI
egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf
x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM
cAK/Ln4UhXIcIM1f7h5M
=is2n
-----END PGP SIGNATURE-----