#VU87535 Session Fixation in Apache Tomcat - CVE-2015-5346
Vulnerability identifier: #VU87535
Vulnerability risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-384
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Tomcat
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to compromise accounts of other users.
The vulnerability exists due to an insecure way of handling sessions. A remote attacker can leverage the requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java and hijack web sessions of web application users.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Tomcat: 7.0.0 - 7.0.65, 8.0.0 RC1 - 8.0.29, 9.0.0-M1
External links
https://svn.apache.org/viewvc?view=revision&revision=1713185
https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
https://svn.apache.org/viewvc?view=revision&revision=1713184
https://svn.apache.org/viewvc?view=revision&revision=1713187
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://svn.apache.org/viewvc?view=revision&revision=1723414
https://tomcat.apache.org/security-7.html
https://svn.apache.org/viewvc?view=revision&revision=1723506
https://seclists.org/bugtraq/2016/Feb/143
https://www.debian.org/security/2016/dsa-3530
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://www.debian.org/security/2016/dsa-3609
https://www.ubuntu.com/usn/USN-3024-1
https://www.debian.org/security/2016/dsa-3552
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://rhn.redhat.com/errata/RHSA-2016-2046.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
https://www.securityfocus.com/bid/83323
https://access.redhat.com/errata/RHSA-2016:1087
https://rhn.redhat.com/errata/RHSA-2016-1089.html
https://access.redhat.com/errata/RHSA-2016:1088
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
https://bto.bluecoat.com/security-advisory/sa118
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
https://www.securitytracker.com/id/1035069
https://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
https://security.gentoo.org/glsa/201705-09
https://rhn.redhat.com/errata/RHSA-2016-2808.html
https://rhn.redhat.com/errata/RHSA-2016-2807.html
https://security.netapp.com/advisory/ntap-20180531-0001/
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
