Application Vulnerabilities in Tomcat 8.5 on SDM 17.1

Article Id: 144349

Status: Published

Updated On: 04-02-2020 19:11

Products:

CA Service Desk Manager , SUPPORT AUTOMATION- SERVER , CA Service Desk Manager - Unified Self Service , KNOWLEDGE TOOLS , CA Service Desk Manager - Mobile Application , CA Service Desk Manager - Xtraction

Issue/Introduction:

Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.

Cause:

By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.

Environment:

Release : 17.2

Component : SERVICE DESK MANAGER

Resolution:

For Unix platform:
In “$CATALINA_HOME/conf/context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />

For Windows platform:
In “%CATALINA_HOME%\conf\context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />

Additional Information:

Please refer the document on tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/config/cluster-manager.html about secureRandomClass. This is the class used to generate the session id's, and this is the class considered as default value. If you still want to add it can be added in server.xml or context.xml.