{ "threat_severity" : "Moderate", "public_date" : "2014-02-25T00:00:00Z", "bugzilla" : { "description" : "tomcat: session fixation still possible with disableURLRewriting enabled", "id" : "1069919", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1069919" }, "cvss" : { "cvss_base_score" : "4.3", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-384", "details" : [ "org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.", "It was found that previous fixes in Tomcat 6 to path parameter handling introduced a regression that caused Tomcat to not properly disable URL rewriting to track session IDs when the disableURLRewriting option was enabled. A man-in-the-middle attacker could potentially use this flaw to hijack a user's session." ], "statement" : "This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products.\nThe disableURLRewriting property was introduced in Apache Tomcat 6.0.30. All versions of Apache Tomcat prior to 6.0.30 are not affected by this flaw, as the affected feature is not present.\nTomcat 6 as shipped with Red Hat JBoss Web Server 2.0.0 and above is affected by this flaw. Tomcat 6 as shipped with Red Hat JBoss Web Server 1.0.2 is not affected by this flaw. Tomcat 6 as shipped with Red Hat JBoss Web Server prior to 1.0.2 is not affected by this flaw, as the disableURLRewriting property is not supported. \nTomcat 6 as shipped with Red Hat Enterprise Linux 6 is based on Apache Tomcat 6.0.24 and is not affected by this flaw, as this flaw was introduced only in Apache Tomcat 6.0.33.", "affected_release" : [ { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 5", "release_date" : "2014-05-21T00:00:00Z", "advisory" : "RHSA-2014:0525", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el5", "package" : "tomcat6-0:6.0.37-19_patch_04.ep6.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2014-05-21T00:00:00Z", "advisory" : "RHSA-2014:0525", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat6-0:6.0.37-27_patch_04.ep6.el6" }, { "product_name" : "Red Hat JBoss Web Server 2.0", "release_date" : "2014-05-21T00:00:00Z", "advisory" : "RHSA-2014:0528", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.0", "package" : "tomcat6" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "tomcat5", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Not affected", "package_name" : "tomcat5", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0033\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0033\nhttps://access.redhat.com/site/solutions/88203" ], "name" : "CVE-2014-0033", "csaw" : false }