Apache Tomcat 7.0.x < 7.0.67 / 8.0.x < 8.0.32 Session Hijacking

medium Nessus Network Monitor Plugin ID 9314

Synopsis

The remote web server is missing an Apache Tomcat patch update.

Description

Apache Tomcat 7.0.x before 7.0.67 or 8.0.x before 8.0.32 is affected by a flaw that allows conducting a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier via the 'requestedSessionSSL' field, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked. This vulnerability is only present when at least one web application is configured to use the SSL session ID as the HTTP session ID.

Solution

Update to Apache Tomcat version 8.0.32 or later. If version 8.0.x cannot be obtained, version 7.0.67 is also patched for these vulnerabilities.

See Also

http://svn.apache.org/viewvc?view=rev&rev=1713187

http://svn.apache.org/viewvc?view=rev&rev=1713185

http://svn.apache.org/viewvc?view=rev&rev=1723506

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-8.html

Plugin Details

Severity: Medium

ID: 9314

Family: Web Servers

Published: 5/24/2016

Updated: 3/6/2019

Nessus ID: 88937

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Patch Publication Date: 12/10/2015

Vulnerability Publication Date: 2/22/2016

Reference Information

CVE: CVE-2015-5346

BID: 83323