Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - Apache Tomcat: session fixation via requestedSessionSSL

April 2016 by Vigil@nce

SYNTHESIS OF THE VULNERABILITY

An attacker can reuse the requestedSessionSSL value of Apache
Tomcat, in order to access to the TLS session of another user.

Impacted products: Tomcat, Debian, openSUSE Leap, Solaris, SUSE
Linux Enterprise Desktop, SLES.

Severity: 2/4.

Creation date: 22/02/2016.

DESCRIPTION OF THE VULNERABILITY

The Apache Tomcat product can recycle its Request object, to
improve its performance.

However, the requestedSessionSSL field is not reinitialized. In
some special configuration, an attacker can thus set the TLS
session identifier, to access to the session of another user.

An attacker can therefore reuse the requestedSessionSSL value of
Apache Tomcat, in order to access to the TLS session of another
user.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

https://vigilance.fr/vulnerability/Apache-Tomcat-session-fixation-via-requestedSessionSSL-18995


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts