-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0056 056 Title: Apache Tomcat Security Update Version history: 21.06.2013 Initial publication Summary ======= FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. CVE numbers: CVE2013-2067 CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) [1] Vulnerable systems ================== Tomcat 7.0.0 to 7.0.0.32 Tomcat 6.0.21 to 6.0.0.36 Original Details ================ java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack. What can you do? ================ Move to apache Tomcat version which fix the vulnerability [2],[3]. Thre are some vendor dependent patches [4]. What to tell your users? ======================== N/A More information ================ [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067 [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html [4] https://rhn.redhat.com/errata/RHSA-2013-0964.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJRxE8kAAoJEPpzpNLI8SVonJEQAI2fYBRjd95LEegtr34beaGd 7uXOlv9PpCBTqwjrxb+0mvSzj/QZBUNghZajEMczc/YE/n5cLvU7McqNQ3DnZQ4f Q5X9JXLqZPhzWQB6HKGBmTvrS9iKi7uRhNV3LravIUVrKBgSi+fKWt3f0uBlQYul Y/UX9uHMtulCYObkn+ES0xRKzZV71Vf7YrjRvp0uAG4c6vp0VaA/XGETi9D/noLa X3qEGOyDQR3yjKuuJKlREIDYlqDpH/hqdLR87hHelN9o49kxF3b8FvSSURAvSLXe wIv976/W8aWLpfCN9x/GNgdQEUezTDI3GVei3ME94Q4XytcrHtS5HO1FSmKFHxLV eAAueeT6xbGVjnCBHZf6KXot7mMmuG+9PA2koWkreV8SKcQWj8mpJ4K5+1ikW/hy SNYBDVbZayHM4OMUnDHgTTiv7XR7FjDdoDev4Wk13Ca9ImefyAU0MfPji7xjvlTk VqufBVEORkBX77D/lr4lDLodm9QSjzFJJ6aou7XDzB1LgSjL4n6g80jod0dCUV5Z 5lVtErRIchkFob1cDxgy2T0MXm0URyZF9viqvTyNuRs2vcoZDmttv28isoCL3AkX q7NL/ygMd4ovPReZEmAU2wBEOA3gYQdm22ip0OgYd/AGE5JpFxIIcpTRIagI2GXt wUs3QPGVx1kLHpipHDF9 =zWMl -----END PGP SIGNATURE-----