Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache Tomcat 7.0.x < 7.0.67 / 8.0.x < 8.0.32 Session Hijacking

Medium

Synopsis

The remote web server is missing an Apache Tomcat patch update.

Description

Apache Tomcat 7.0.x before 7.0.67 or 8.0.x before 8.0.32 is affected by a flaw that allows conducting a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier via the 'requestedSessionSSL' field, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked. This vulnerability is only present when at least one web application is configured to use the SSL session ID as the HTTP session ID.

Solution

Update to Apache Tomcat version 8.0.32 or later. If version 8.0.x cannot be obtained, version 7.0.67 is also patched for these vulnerabilities.