Application Vulnerabilities in Tomcat 8.5 on SDM 17.1
book
Article ID: 144349
calendar_today
Updated On:
Products
CA Service Desk ManagerSUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceKNOWLEDGE TOOLSCA Service Desk Manager - Mobile ApplicationCA Service Desk Manager - Xtraction
Issue/Introduction
Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.
Cause
By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.
Environment
Release : 17.2
Component : SERVICE DESK MANAGER
Resolution
For Unix platform: In “$CATALINA_HOME/conf/context.xml”, set the following: <Manager ... randomClass=“java.security.SecureRandom” />
For Windows platform: In “%CATALINA_HOME%\conf\context.xml”, set the following: <Manager ... randomClass=“java.security.SecureRandom” />
Additional Information
Please refer the document on tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/config/cluster-manager.html about secureRandomClass. This is the class used to generate the session id's, and this is the class considered as default value. If you still want to add it can be added in server.xml or context.xml.