http://seclists.org/bugtraq/2016/Feb/143

CVE-2015-5346 Apache Tomcat Session fixation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1

Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
  (7.0.66 has the fix but was not released)


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1311085
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346