Fixed in Apache Tomcat 6.0.37

Important: Session fixation CVE-2013-2067

FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim’s credentials.

Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat’s session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable.

This was fixed in revision 1417891.

This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013.

Affects: 6.0.21-6.0.36

Important: Denial of service CVE-2012-3544

When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server.

This was fixed in revision 1476592.

This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013.

Affects: 6.0.0-6.0.36