Vulnerabilities > CVE-2012-4529 - Session ID Information Disclosure vulnerability in Redhat products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0833.NASL description The version of JBoss Enterprise Application Platform 6.0.1 running on the remote system is vulnerable to the following issues: - A man-in-the-middle attack is possible when applications running on JBoss Web use the COOKIE session tracking method. The flaw is in the org.apache.catalina.connector.Response.encodeURL() method. By making use of this, an attacker could obtain a user last seen 2020-06-01 modified 2020-06-02 plugin id 66971 published 2013-06-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66971 title JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(66971); script_version("1.16"); script_cvs_date("Date: 2019/10/24 15:35:37"); script_cve_id( "CVE-2012-4529", "CVE-2012-4572", "CVE-2012-5575", "CVE-2013-0166", "CVE-2013-0169", "CVE-2013-0218", "CVE-2013-2067" ); script_bugtraq_id(57652, 57778, 59799, 60040, 60043, 60045, 60268); script_xref(name:"RHSA", value:"2013:0833"); script_name(english:"JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833)"); script_summary(english:"Checks for the installed versions of JBoss Enterprise Application Platform"); script_set_attribute(attribute:"synopsis", value:"The remote Red Hat host is missing a security update."); script_set_attribute(attribute:"description", value: "The version of JBoss Enterprise Application Platform 6.0.1 running on the remote system is vulnerable to the following issues: - A man-in-the-middle attack is possible when applications running on JBoss Web use the COOKIE session tracking method. The flaw is in the org.apache.catalina.connector.Response.encodeURL() method. By making use of this, an attacker could obtain a user's jsessionid and hijack their session. (CVE-2012-4529) - If multiple applications used the same custom authorization module class name, a local attacker could deploy a malicious application authorization module that would permit or deny user access. (CVE-2012-4572) - XML encryption backwards compatibility attacks could allow an attacker to force a server to use insecure legacy cryptosystems. (CVE-2012-5575) - A NULL pointer dereference flaw could allow a malicious OCSP to crash applications performing OCSP verification. (CVE-2013-0166) - An OpenSSL leaks timing information issue exists that could allow a remote attacker to retrieve plaintext from the encrypted packets. (CVE-2013-0169) - The JBoss Enterprise Application Platform administrator password and the sucker password are stored in a world- readable, auto-install XML file created by the GUI installer. (CVE-2013-0218) - Tomcat incorrectly handles certain authentication requests. A remote attacker could use this flaw to inject a request that would get executed with a victim's credentials. (CVE-2013-2067)"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4529.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-4572.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2012-5575.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-0166.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-0169.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-0218.html"); script_set_attribute(attribute:"see_also", value:"https://www.redhat.com/security/data/cve/CVE-2013-2067.html"); # https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7770d98"); script_set_attribute(attribute:"solution", value: "Upgrade the installed JBoss Enterprise Application Platform 6.0.1 to 6.1.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "jboss_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # We are only interested in Red Hat systems if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); info = ""; jboss = 0; installs = get_kb_list_or_exit("Host/JBoss/EAP"); if(!isnull(installs)) jboss = 1; foreach install (make_list(installs)) { match = eregmatch(string:install, pattern:"([^:]+):(.*)"); if (!isnull(match)) { ver = match[1]; path = match[2]; if (ver =~ "^6.0.1([^0-9]|$)") { info += '\n' + ' Path : ' + path+ '\n'; info += ' Version : ' + ver + '\n'; } } } # Report what we found. if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 3) s = 's of the JBoss Enterprise Application Platform are'; else s = ' of the JBoss Enterprise Application Platform is'; report = '\n' + 'The following instance'+s+' out of date and\nshould be upgraded to 6.1.0 or later :\n' + info; security_hole(port:0, extra:report); } else security_hole(port:0); } else if ( (!info) && (jboss) ) { exit(0, "The JBoss Enterprise Application Platform version installed is not affected."); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0839.NASL description Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575) Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user last seen 2020-06-01 modified 2020-06-02 plugin id 66523 published 2013-05-21 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66523 title RHEL 5 : JBoss EAP (RHSA-2013:0839) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-1437.NASL description The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues: - A flaw in CSRF prevention filter in JBoss Web could allow remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. (CVE-2012-4431) - A flaw that occurs when the COOKIE session tracking method is used can allow attackers to hijack users last seen 2020-06-01 modified 2020-06-02 plugin id 72237 published 2014-01-31 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72237 title JBoss Portal 6.1.0 Update (RHSA-2013:1437) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0834.NASL description Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/ Security fixes : XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575) Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements. When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user last seen 2020-06-01 modified 2020-06-02 plugin id 66522 published 2013-05-21 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66522 title RHEL 6 : JBoss EAP (RHSA-2013:0834)
Redhat
| advisories |
| ||||||||||||||||
| rpms |
|
References
- http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request/
- http://rhn.redhat.com/errata/RHSA-2013-0833.html
- http://rhn.redhat.com/errata/RHSA-2013-0834.html
- http://rhn.redhat.com/errata/RHSA-2013-0839.html
- http://rhn.redhat.com/errata/RHSA-2013-1437.html
- https://issues.jboss.org/browse/JBWEB-249