Application Vulnerabilities in Tomcat 8.5 on SDM 17.1
book
Article ID: 144349
calendar_today
Updated On:
Products
CA Service Desk ManagerSUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceCA Service Desk Manager - Mobile ApplicationCA Service Desk Manager - Xtraction
Issue/Introduction
Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.
Environment
Release : 17.2
Component : SERVICE DESK MANAGER
Cause
By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.
Resolution
For Unix platform: In “$CATALINA_HOME/conf/context.xml”, set the following: <Manager ... randomClass=“java.security.SecureRandom” />
For Windows platform: In “%CATALINA_HOME%\conf\context.xml”, set the following: <Manager ... randomClass=“java.security.SecureRandom” />
Additional Information
Please refer the document on tomcat 8.5: https://tomcat.apache.org/tomcat-8.5-doc/config/cluster-manager.html about secureRandomClass. This is the class used to generate the session id's, and this is the class considered as default value. If you still want to add it can be added in server.xml or context.xml.