Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx

http://issues.apache.org/bugzilla/show_bug.cgi?id=41217

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://rhn.redhat.com/errata/RHSA-2008-0630.html

http://secunia.com/advisories/28549

http://secunia.com/advisories/28552

http://secunia.com/advisories/29242

http://secunia.com/advisories/31493

http://secunia.com/advisories/33668

http://security-tracker.debian.net/tracker/CVE-2008-0128

http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540

http://www.debian.org/security/2008/dsa-1468

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.securityfocus.com/archive/1/500396/100/0/threaded

http://www.securityfocus.com/archive/1/500412/100/0/threaded

http://www.securityfocus.com/bid/27365

http://www.vupen.com/english/advisories/2008/0192

http://www.vupen.com/english/advisories/2009/0233

https://exchange.xforce.ibmcloud.com/vulnerabilities/39804

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2020-5398 Vulnerability in maven package org.springframework:spring-web

CVE-2011-1582 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-28367 Vulnerability in maven package org.owasp:antisamy

CVE-2022-23082 Vulnerability in maven package io.whitesource:curekit

CVE-2022-42128 Vulnerability in maven package com.liferay:com.liferay.headless.delivery.impl

Severity

Critical

Classification

CWE-16

Tags

Patch Vendor Advisory