It was found that previous fixes in Tomcat 6 to path parameter handling introduced a regression that caused Tomcat to not properly disable URL rewriting to track session IDs when the disableURLRewriting option was enabled. A man-in-the-middle attacker could potentially use this flaw to hijack a user's session.
Find out more about CVE-2014-0033 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect JBoss Web, as shipped with various Red Hat JBoss products.
The disableURLRewriting property was introduced in Apache Tomcat 6.0.30. All versions of Apache Tomcat prior to 6.0.30 are not affected by this flaw, as the affected feature is not present.
Tomcat 6 as shipped with Red Hat JBoss Web Server 2.0.0 and above is affected by this flaw. Tomcat 6 as shipped with Red Hat JBoss Web Server 1.0.2 is not affected by this flaw. Tomcat 6 as shipped with Red Hat JBoss Web Server prior to 1.0.2 is not affected by this flaw, as the disableURLRewriting property is not supported.
Tomcat 6 as shipped with Red Hat Enterprise Linux 6 is based on Apache Tomcat 6.0.24 and is not affected by this flaw, as this flaw was introduced only in Apache Tomcat 6.0.33.
Base Score | 4.3 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (tomcat6) | RHSA-2014:0525 | 2014-05-21 |
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat6) | RHSA-2014:0525 | 2014-05-21 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Portal Platform 6 | jbossweb | Not affected |
Red Hat JBoss Operations Network 3 | jbossweb | Not affected |
Red Hat JBoss Fuse Service Works 6 | jbossweb | Not affected |
Red Hat JBoss EWS 2 | tomcat7 | Not affected |
Red Hat JBoss EWS 1 | tomcat6 | Not affected |
Red Hat JBoss EWS 1 | tomcat5 | Not affected |
Red Hat JBoss EAP 6 | jbossweb | Not affected |
Red Hat JBoss EAP 5 | jbossweb | Will not fix |
Red Hat JBoss Data Virtualization 6 | jbossweb | Not affected |
Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
Red Hat JBoss BRMS 6 | jbossweb | Not affected |
Red Hat JBoss BPMS 6 | jbossweb | Not affected |
Red Hat Enterprise Linux 7 | tomcat | Not affected |
Red Hat Enterprise Linux 6 | tomcat6 | Not affected |
Red Hat Enterprise Linux 5 | tomcat5 | Not affected |