Vigil@nce - Apache Tomcat: session fixation via requestedSessionSSL
April 2016 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can reuse the requestedSessionSSL value of Apache
Tomcat, in order to access to the TLS session of another user.
Impacted products: Tomcat, Debian, openSUSE Leap, Solaris, SUSE
Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 22/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Apache Tomcat product can recycle its Request object, to
improve its performance.
However, the requestedSessionSSL field is not reinitialized. In
some special configuration, an attacker can thus set the TLS
session identifier, to access to the session of another user.
An attacker can therefore reuse the requestedSessionSSL value of
Apache Tomcat, in order to access to the TLS session of another
user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Apache-Tomcat-session-fixation-via-requestedSessionSSL-18995