Bug 967814 - (CVE-2015-5346) VUL-0: CVE-2015-5346: tomcat: Session fixation
(CVE-2015-5346)
VUL-0: CVE-2015-5346: tomcat: Session fixation
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/162122/
CVSSv2:NVD:CVE-2015-5346:6.8:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-23 12:05 UTC by Alexander Bergmann
Modified: 2018-08-23 16:07 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-23 12:05:52 UTC
http://seclists.org/bugtraq/2016/Feb/143

CVE-2015-5346 Apache Tomcat Session fixation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1

Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
  (7.0.66 has the fix but was not released)


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1311085
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346
Comment 1 Swamp Workflow Management 2016-02-23 23:00:36 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2016-03-15 14:13:03 UTC
SUSE-SU-2016:0769-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    tomcat-8.0.32-3.1
Comment 4 Swamp Workflow Management 2016-03-18 18:13:57 UTC
SUSE-SU-2016:0822-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12 (src):    tomcat-7.0.68-7.6.1
Comment 5 Swamp Workflow Management 2016-03-23 17:10:11 UTC
openSUSE-SU-2016:0865-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
openSUSE Leap 42.1 (src):    tomcat-8.0.32-5.1
Comment 7 Marcus Meissner 2017-07-03 13:19:26 UTC
released