Application Vulnerabilities in Tomcat 8.5 on SDM 17.1

book

Article ID: 144349

calendar_today

Updated On:

Products

CA Service Desk Manager SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Desk Manager - Mobile Application CA Service Desk Manager - Xtraction

Issue/Introduction

Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.

Cause

By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.

Environment

Release : 17.2

Component : SERVICE DESK MANAGER

Resolution

For Unix platform:
In “$CATALINA_HOME/conf/context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />

For Windows platform:
In “%CATALINA_HOME%\conf\context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />

Additional Information

Please refer the document on tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/config/cluster-manager.html about secureRandomClass.  This is the class used to generate the session id's, and this is the class considered as default value. If you still want to add it can be added in server.xml or context.xml.