Application Vulnerabilities in Tomcat 8.5 on SDM 17.1
Article ID: 144349
Updated On:
Products
CA Service Desk Manager
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
KNOWLEDGE TOOLS
CA Service Desk Manager - Mobile Application
CA Service Desk Manager - Xtraction
Issue/Introduction
Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.
Cause
By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.
Environment
Release : 17.2
Component : SERVICE DESK MANAGER
Resolution
For Unix platform:
In “$CATALINA_HOME/conf/context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />
For Windows platform:
In “%CATALINA_HOME%\conf\context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />
In “$CATALINA_HOME/conf/context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />
For Windows platform:
In “%CATALINA_HOME%\conf\context.xml”, set the following:
<Manager ... randomClass=“java.security.SecureRandom” />
Additional Information
Please refer the document on tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/config/cluster-manager.html about secureRandomClass. This is the class used to generate the session id's, and this is the class considered as default value. If you still want to add it can be added in server.xml or context.xml.
Feedback
Powered by
