Problem Note 11132: Potential security/data integrity issues when using Tomcat 4.1.18
A race condition in the session recycling code has been identified in
Tomcat 4.1.18, which could cause two different browser clients to share
the same session object on the server. This results in different users
seeing, and possibly overwritting each other's session data.
As a result, session recycling was disabled in Tomcat 4.1.24 and has
been removed from Tomcat 5.0.x.
A Tomcat 4.1.18 fix, which provides the same code fix as was used
to fix the problem in Tomcat 4.1.24, is available at:
http://ftp.sas.com/techsup/download/hotfix/tomcat4118.html
Operating System and Release Information
| SAS System | Apache Jakarta Tomcat | Microsoft Windows 2000 Server | 4.1.18 | 4.1.27 | | |
| Microsoft Windows NT Workstation | 4.1.18 | 4.1.27 | | |
| Microsoft Windows 2000 Datacenter Server | 4.1.18 | 4.1.27 | | |
| Microsoft Windows 2000 Professional | 4.1.18 | 4.1.27 | | |
| Microsoft Windows 2000 Advanced Server | 4.1.18 | 4.1.27 | | |
| HP-UX | 4.1.18 | 4.1.27 | | |
| Linux | 4.1.18 | 4.1.27 | | |
| 64-bit Enabled AIX | 4.1.18 | 4.1.27 | | |
| Microsoft Windows XP Professional | 4.1.18 | 4.1.27 | | |
| 64-bit Enabled HP-UX | 4.1.18 | 4.1.27 | | |
| Tru64 UNIX | 4.1.18 | 4.1.27 | | |
| AIX | 4.1.18 | 4.1.27 | | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2003-12-05 10:55:54 |
| Date Created: | 2003-10-24 11:14:47 |
