-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2013-0056
056

Title: Apache Tomcat Security Update

Version history:
21.06.2013 Initial publication

Summary
=======
FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.

CVE numbers: CVE2013-2067
CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) [1]


Vulnerable systems
==================
Tomcat 7.0.0 to 7.0.0.32
Tomcat 6.0.21 to 6.0.0.36


Original Details
================
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.


What can you do?
================
Move to apache Tomcat version which fix the vulnerability [2],[3].
Thre are some vendor dependent patches [4].


What to tell your users?
========================
N/A

More information
================
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2067
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html
[4]  https://rhn.redhat.com/errata/RHSA-2013-0964.html


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJRxE8kAAoJEPpzpNLI8SVonJEQAI2fYBRjd95LEegtr34beaGd
7uXOlv9PpCBTqwjrxb+0mvSzj/QZBUNghZajEMczc/YE/n5cLvU7McqNQ3DnZQ4f
Q5X9JXLqZPhzWQB6HKGBmTvrS9iKi7uRhNV3LravIUVrKBgSi+fKWt3f0uBlQYul
Y/UX9uHMtulCYObkn+ES0xRKzZV71Vf7YrjRvp0uAG4c6vp0VaA/XGETi9D/noLa
X3qEGOyDQR3yjKuuJKlREIDYlqDpH/hqdLR87hHelN9o49kxF3b8FvSSURAvSLXe
wIv976/W8aWLpfCN9x/GNgdQEUezTDI3GVei3ME94Q4XytcrHtS5HO1FSmKFHxLV
eAAueeT6xbGVjnCBHZf6KXot7mMmuG+9PA2koWkreV8SKcQWj8mpJ4K5+1ikW/hy
SNYBDVbZayHM4OMUnDHgTTiv7XR7FjDdoDev4Wk13Ca9ImefyAU0MfPji7xjvlTk
VqufBVEORkBX77D/lr4lDLodm9QSjzFJJ6aou7XDzB1LgSjL4n6g80jod0dCUV5Z
5lVtErRIchkFob1cDxgy2T0MXm0URyZF9viqvTyNuRs2vcoZDmttv28isoCL3AkX
q7NL/ygMd4ovPReZEmAU2wBEOA3gYQdm22ip0OgYd/AGE5JpFxIIcpTRIagI2GXt
wUs3QPGVx1kLHpipHDF9
=zWMl
-----END PGP SIGNATURE-----