ID CVE-2015-5346
Summary Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 7.0.0 beta
    cpe:2.3:a:apache:tomcat:7.0.0:beta
  • Apache Software Foundation Tomcat 7.0.2 beta
    cpe:2.3:a:apache:tomcat:7.0.2:beta
  • Apache Software Foundation Tomcat 7.0.4 beta
    cpe:2.3:a:apache:tomcat:7.0.4:beta
  • Apache Tomcat 7.0.5 Beta
    cpe:2.3:a:apache:tomcat:7.0.5:beta
  • Apache Software Foundation Tomcat 7.0.6
    cpe:2.3:a:apache:tomcat:7.0.6
  • Apache Software Foundation Tomcat 7.0.10
    cpe:2.3:a:apache:tomcat:7.0.10
  • Apache Software Foundation Tomcat 7.0.11
    cpe:2.3:a:apache:tomcat:7.0.11
  • Apache Software Foundation Tomcat 7.0.12
    cpe:2.3:a:apache:tomcat:7.0.12
  • Apache Software Foundation Tomcat 7.0.14
    cpe:2.3:a:apache:tomcat:7.0.14
  • Apache Software Foundation Tomcat 7.0.16
    cpe:2.3:a:apache:tomcat:7.0.16
  • Apache Software Foundation Tomcat 7.0.19
    cpe:2.3:a:apache:tomcat:7.0.19
  • Apache Software Foundation Tomcat 7.0.20
    cpe:2.3:a:apache:tomcat:7.0.20
  • Apache Software Foundation Tomcat 7.0.21
    cpe:2.3:a:apache:tomcat:7.0.21
  • Apache Software Foundation Tomcat 7.0.22
    cpe:2.3:a:apache:tomcat:7.0.22
  • Apache Software Foundation Tomcat 7.0.23
    cpe:2.3:a:apache:tomcat:7.0.23
  • Apache Software Foundation Tomcat 7.0.25
    cpe:2.3:a:apache:tomcat:7.0.25
  • Apache Software Foundation Tomcat 7.0.26
    cpe:2.3:a:apache:tomcat:7.0.26
  • Apache Software Foundation Tomcat 7.0.27
    cpe:2.3:a:apache:tomcat:7.0.27
  • Apache Software Foundation Tomcat 7.0.28
    cpe:2.3:a:apache:tomcat:7.0.28
  • Apache Software Foundation Tomcat 7.0.29
    cpe:2.3:a:apache:tomcat:7.0.29
  • Apache Software Foundation Tomcat 7.0.30
    cpe:2.3:a:apache:tomcat:7.0.30
  • Apache Software Foundation Tomcat 7.0.32
    cpe:2.3:a:apache:tomcat:7.0.32
  • Apache Software Foundation Tomcat 7.0.33
    cpe:2.3:a:apache:tomcat:7.0.33
  • Apache Software Foundation Tomcat 7.0.34
    cpe:2.3:a:apache:tomcat:7.0.34
  • Apache Software Foundation Tomcat 7.0.35
    cpe:2.3:a:apache:tomcat:7.0.35
  • Apache Software Foundation Tomcat 7.0.37
    cpe:2.3:a:apache:tomcat:7.0.37
  • Apache Software Foundation Tomcat 7.0.39
    cpe:2.3:a:apache:tomcat:7.0.39
  • Apache Software Foundation Tomcat 7.0.40
    cpe:2.3:a:apache:tomcat:7.0.40
  • Apache Software Foundation Tomcat 7.0.41
    cpe:2.3:a:apache:tomcat:7.0.41
  • Apache Software Foundation Tomcat 7.0.42
    cpe:2.3:a:apache:tomcat:7.0.42
  • Apache Software Foundation Tomcat 7.0.47
    cpe:2.3:a:apache:tomcat:7.0.47
  • Apache Software Foundation Tomcat 7.0.50
    cpe:2.3:a:apache:tomcat:7.0.50
  • Apache Software Foundation Tomcat 7.0.52
    cpe:2.3:a:apache:tomcat:7.0.52
  • Apache Software Foundation Tomcat 7.0.53
    cpe:2.3:a:apache:tomcat:7.0.53
  • Apache Software Foundation Tomcat 7.0.54
    cpe:2.3:a:apache:tomcat:7.0.54
  • Apache Software Foundation Tomcat 7.0.55
    cpe:2.3:a:apache:tomcat:7.0.55
  • Apache Software Foundation Tomcat 7.0.56
    cpe:2.3:a:apache:tomcat:7.0.56
  • Apache Software Foundation Tomcat 7.0.57
    cpe:2.3:a:apache:tomcat:7.0.57
  • Apache Tomcat 7.0.59
    cpe:2.3:a:apache:tomcat:7.0.59
  • Apache Tomcat 7.0.61
    cpe:2.3:a:apache:tomcat:7.0.61
  • Apache Tomcat 7.0.62
    cpe:2.3:a:apache:tomcat:7.0.62
  • Apache Tomcat 7.0.63
    cpe:2.3:a:apache:tomcat:7.0.63
  • Apache Tomcat 7.0.64
    cpe:2.3:a:apache:tomcat:7.0.64
  • Apache Software Foundation Tomcat 7.0.65
    cpe:2.3:a:apache:tomcat:7.0.65
  • Apache Software Foundation Tomcat 8.0.0 Release Candidate 1
    cpe:2.3:a:apache:tomcat:8.0.0:rc1
  • Apache Software Foundation Tomcat 8.0.0 release candidate 10
    cpe:2.3:a:apache:tomcat:8.0.0:rc10
  • cpe:2.3:a:apache:tomcat:8.0.0:rc3
    cpe:2.3:a:apache:tomcat:8.0.0:rc3
  • Apache Software Foundation Tomcat 8.0.0 release candidate 5
    cpe:2.3:a:apache:tomcat:8.0.0:rc5
  • Apache Software Foundation Tomcat 8.0.1
    cpe:2.3:a:apache:tomcat:8.0.1
  • Apache Software Foundation Tomcat 8.0.3
    cpe:2.3:a:apache:tomcat:8.0.3
  • Apache Software Foundation Tomcat 8.0.11
    cpe:2.3:a:apache:tomcat:8.0.11
  • Apache Software Foundation Tomcat 8.0.12
    cpe:2.3:a:apache:tomcat:8.0.12
  • Apache Software Foundation Tomcat 8.0.14
    cpe:2.3:a:apache:tomcat:8.0.14
  • Apache Software Foundation Tomcat 8.0.15
    cpe:2.3:a:apache:tomcat:8.0.15
  • Apache Tomcat 8.0.17
    cpe:2.3:a:apache:tomcat:8.0.17
  • Apache Tomcat 8.0.18
    cpe:2.3:a:apache:tomcat:8.0.18
  • Apache Tomcat 8.0.20
    cpe:2.3:a:apache:tomcat:8.0.20
  • Apache Tomcat 8.0.21
    cpe:2.3:a:apache:tomcat:8.0.21
  • Apache Tomcat 8.0.22
    cpe:2.3:a:apache:tomcat:8.0.22
  • Apache Tomcat 8.0.23
    cpe:2.3:a:apache:tomcat:8.0.23
  • Apache Tomcat 8.0.24
    cpe:2.3:a:apache:tomcat:8.0.24
  • Apache Tomcat 8.0.26
    cpe:2.3:a:apache:tomcat:8.0.26
  • Apache Software Foundation Tomcat 8.0.27
    cpe:2.3:a:apache:tomcat:8.0.27
  • Apache Software Foundation Tomcat 8.0.28
    cpe:2.3:a:apache:tomcat:8.0.28
  • Apache Software Foundation Tomcat 8.0.29
    cpe:2.3:a:apache:tomcat:8.0.29
  • Apache Software Foundation Tomcat 9.0.0 M1
    cpe:2.3:a:apache:tomcat:9.0.0:m1
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
CVSS
Base: 6.8 (as of 20-07-2016 - 11:08)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2046.NASL
    description From Red Hat Security Advisory 2016:2046 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 93948
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93948
    title Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2046.NASL
    description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93966
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93966
    title CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1049.NASL
    description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.(CVE-2014-7810) - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.(CVE-2015-5346) - Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an 'httpoxy' issue. NOTE: the vendor states 'A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388'; in other words, this is not a CVE ID for a vulnerability.(CVE-2016-5388) - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.(CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.(CVE-2016-6325) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99812
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99812
    title EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3530.NASL
    description Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 90205
    published 2016-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90205
    title Debian DSA-3530-1 : tomcat6 - security update
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161010_TOMCAT_ON_SL7_X.NASL
    description Security Fix(es) : - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 94005
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94005
    title Scientific Linux Security Update : tomcat on SL7.x (noarch) (httpoxy)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7BBC3016DE6311E58FA814DAE9D210B8.NASL
    description Mark Thomas reports : - CVE-2015-5346 Apache Tomcat Session fixation - CVE-2015-5351 Apache Tomcat CSRF token leak - CVE-2016-0763 Apache Tomcat Security Manager Bypass
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 89010
    published 2016-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89010
    title FreeBSD : tomcat -- multiple vulnerabilities (7bbc3016-de63-11e5-8fa8-14dae9d210b8)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_1F1124FEDE5C11E58FA814DAE9D210B8.NASL
    description Mark Thomas reports : - CVE-2015-5345 Apache Tomcat Directory disclosure - CVE-2016-0706 Apache Tomcat Security Manager bypass - CVE-2016-0714 Apache Tomcat Security Manager Bypass
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 89006
    published 2016-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89006
    title FreeBSD : tomcat -- multiple vulnerabilities (1f1124fe-de5c-11e5-8fa8-14dae9d210b8)
  • NASL family Web Servers
    NASL id TOMCAT_8_0_32.NASL
    description According to its self-reported version number, the Apache Tomcat service running on the remote host is 8.0.x prior to 8.0.32. It is, therefore, affected by multiple vulnerabilities : - A flaw exists due to a failure to invalidate a previous session ID when assigning an ID to a new session. An attacker can exploit this, via a crafted request that uses the requestedSessionSSL field to fixate the session ID, to ensure that the user authenticates with a known session ID, allowing the session to be subsequently hijacked. (CVE-2015-5346) - An information disclosure vulnerability exists in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An unauthenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A flaw exists due to the setGlobalContext() method of ResourceLinkFactory being accessible to web applications even when run under a security manager. An unauthenticated, remote attacker can exploit this to inject malicious global context, allowing data owned by other web applications to be read or written to. (CVE-2016-0763) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 88937
    published 2016-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88937
    title Apache Tomcat 8.0.0.RC1 < 8.0.32 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2807.NASL
    description An update is now available for Red Hat JBoss Enterprise Web Server 2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web Server need to apply the fixes delivered in this release. Security Fix(es) : * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95024
    published 2016-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95024
    title RHEL 6 / 7 : JBoss Web Server (RHSA-2016:2807)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1087.NASL
    description Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es) : * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91245
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91245
    title RHEL 6 : JBoss Web Server (RHSA-2016:1087)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3609.NASL
    description Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91906
    published 2016-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91906
    title Debian DSA-3609-1 : tomcat8 - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-679.NASL
    description ResourceLinkFactory.setGlobalContext() is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. (CVE-2016-0763) A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346) The Manager and Host Manager applications were discovered to establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351) The session-persistence implementation was discovered to mishandle session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714) It was discovered that org.apache.catalina.manager.StatusManagerServlet was not placed on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (CVE-2016-0706)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 90272
    published 2016-04-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90272
    title Amazon Linux AMI : tomcat8 (ALAS-2016-679)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2046.NASL
    description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93951
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93951
    title RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1088.NASL
    description Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix(es) : * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91246
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91246
    title RHEL 7 : JBoss Web Server (RHSA-2016:1088)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3552.NASL
    description Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections and bypass of the SecurityManager.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 90552
    published 2016-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90552
    title Debian DSA-3552-1 : tomcat7 - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201705-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat’s system user or belongs to tomcat’s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 100262
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100262
    title GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-657.NASL
    description A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174) A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346) It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 89838
    published 2016-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89838
    title Amazon Linux AMI : tomcat7 (ALAS-2016-657)
  • NASL family Web Servers
    NASL id TOMCAT_7_0_67.NASL
    description According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 7.0.67. It is, therefore, affected by a session fixation vulnerability: - A flaw exists due to a failure to invalidate a previous session ID when assigning an ID to a new session. An attacker can exploit this, via a crafted request that uses the requestedSessionSSL field to fixate the session ID, to ensure that the user authenticates with a known session ID, allowing the session to be subsequently hijacked. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 121118
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121118
    title Apache Tomcat < 7.0.67 Session Fixation
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3024-1.NASL
    description It was discovered that Tomcat incorrectly handled pathnames used by web applications in a getResource, getResourceAsStream, or getResourcePaths call. A remote attacker could use this issue to possibly list a parent directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5174) It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could use this issue to determine the existence of a directory. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5345) It was discovered that Tomcat incorrectly handled different session settings when multiple versions of the same web application was deployed. A remote attacker could possibly use this issue to hijack web sessions. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5346) It was discovered that the Tomcat Manager and Host Manager applications incorrectly handled new requests. A remote attacker could possibly use this issue to bypass CSRF protection mechanisms. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5351) It was discovered that Tomcat did not place StatusManagerServlet on the RestrictedServlets list. A remote attacker could possibly use this issue to read arbitrary HTTP requests, including session ID values. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0706) It was discovered that the Tomcat session-persistence implementation incorrectly handled session attributes. A remote attacker could possibly use this issue to execute arbitrary code in a privileged context. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0714) It was discovered that the Tomcat setGlobalContext method incorrectly checked if callers were authorized. A remote attacker could possibly use this issue to read or wite to arbitrary application data, or cause a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0763) It was discovered that the Tomcat Fileupload library incorrectly handled certain upload requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-3092). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 91954
    published 2016-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91954
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : tomcat6, tomcat7 vulnerabilities (USN-3024-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-384.NASL
    description This update for tomcat fixes the following issues : Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues. Fixed security issues : - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967) - CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might have allowed remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. (bsc#967814) - CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allowed remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (bsc#967965) - CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat established sessions and send CSRF tokens for arbitrary new requests, which allowed remote attackers to bypass a CSRF protection mechanism by using a token. (bsc#967812) - CVE-2016-0706: Apache Tomcat did not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (bsc#967815) - CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandled session attributes, which allowed remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (bsc#967964) - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. (bsc#967966) The full changes can be read on: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2016-11-04
    plugin id 90136
    published 2016-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90136
    title openSUSE Security Update : tomcat (openSUSE-2016-384)
  • NASL family Web Servers
    NASL id TOMCAT_9_0_0_M3.NASL
    description According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 9.0.0.M3. It is, therefore, affected by multiple vulnerabilities: - An information disclosure vulnerability exists due to a failure to enforce access restrictions when handling directory requests that are missing trailing slashes. An unauthenticated, remote attacker can exploit this to enumerate valid directories. (CVE-2015-5345) - A flaw exists due to a failure to invalidate a previous session ID when assigning an ID to a new session. An attacker can exploit this, via a crafted request that uses the requestedSessionSSL field to fixate the session ID, to ensure that the user authenticates with a known session ID, allowing the session to be subsequently hijacked. (CVE-2015-5346) - An information disclosure vulnerability exists in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An unauthenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - An information disclosure vulnerability exists that allows a specially crafted web application to load the StatusManagerServlet. An attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A security bypass vulnerability exists due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An unauthenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A flaw exists due to the setGlobalContext() method of ResourceLinkFactory being accessible to web applications even when run under a security manager. An unauthenticated, remote attacker can exploit this to inject malicious global context, allowing data owned by other web applications to be read or written to. (CVE-2016-0763) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 121125
    published 2019-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121125
    title Apache Tomcat < 9.0.0.M3 Multiple Vulnerabilities
redhat via4
advisories
  • rhsa
    id RHSA-2016:1087
  • rhsa
    id RHSA-2016:1088
  • rhsa
    id RHSA-2016:1089
  • rhsa
    id RHSA-2016:2046
  • rhsa
    id RHSA-2016:2807
  • rhsa
    id RHSA-2016:2808
rpms
  • tomcat-0:7.0.54-8.el7_2
  • tomcat-admin-webapps-0:7.0.54-8.el7_2
  • tomcat-docs-webapp-0:7.0.54-8.el7_2
  • tomcat-el-2.2-api-0:7.0.54-8.el7_2
  • tomcat-javadoc-0:7.0.54-8.el7_2
  • tomcat-jsp-2.2-api-0:7.0.54-8.el7_2
  • tomcat-jsvc-0:7.0.54-8.el7_2
  • tomcat-lib-0:7.0.54-8.el7_2
  • tomcat-servlet-3.0-api-0:7.0.54-8.el7_2
  • tomcat-webapps-0:7.0.54-8.el7_2
refmap via4
bid 83323
bugtraq 20160222 [SECURITY] CVE-2015-5346 Apache Tomcat Session fixation
confirm
debian
  • DSA-3530
  • DSA-3552
  • DSA-3609
gentoo GLSA-201705-09
misc http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
sectrack 1035069
suse
  • SUSE-SU-2016:0769
  • SUSE-SU-2016:0822
  • openSUSE-SU-2016:0865
ubuntu USN-3024-1
Last major update 05-12-2016 - 22:02
Published 24-02-2016 - 20:59
Last modified 18-07-2018 - 21:29
Back to Top