Описание
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
It was found that tomcat's FORM authentication allowed a very small period in which an attacker could possibly force a victim to use a valid user session, or Session Fixation. While practical exploit of this issue is deemed highly improbable, an abundance of caution merits it be considered a flaw. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity.
Отчет
All affected Red Hat products providing the affected component code should update their setups per the product fixes given. The following Red Hat products are out of support scope for Low Impact flaws, and as such will not issue security fixes: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat JBoss BPM Suite 6 Red Hat JBoss BRMS 6
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | tomcat | Out of support scope | ||
| Red Hat Enterprise Linux 5 | tomcat5 | Out of support scope | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Fix deferred | ||
| Red Hat Fuse 7 | tomcat | Not affected | ||
| Red Hat JBoss BRMS 6 | tomcat | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | tomcat | Not affected | ||
| Red Hat JBoss Fuse 6 | tomcat | Not affected | ||
| Red Hat Software Collections | rh-java-common-tomcat | Not affected | ||
| Red Hat Enterprise Linux 7 | tomcat | Fixed | RHSA-2020:4004 | 29.09.2020 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, ...
In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack
Уязвимость формы аутентификации сервера приложений Apache Tomcat, связанная с недостатком механизма фиксации сеанса, позволяющая нарушителю получить несанкционированный доступ к конфиденциальным данным, вызвать отказ в обслуживании и оказать воздействие на целостность данных
EPSS
7.5 High
CVSS3