Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Moritz Muehlenhoff jmm at inutil.org
Mon Jan 10 17:51:23 UTC 2011

On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote:
> FYI, we applied patches for that Apache upstream SVN revision as part of
> CVE-2010-4172.  I reviewed the patch posted here [0], and we already
> have all of it except for this bit.

CVE-2010-4172 is fully fixed. MITRE later on assigned CVE-2010-4312
to this section from the original advisory:

> Users should be aware that Tomcat 6 does not use httpOnly for session
> cookies by default so this vulnerability could expose session cookies
> from the manager application to an attacker.

httpOnly has been made the default in Tomcat 7, so this ID is
essentially about an insecure default setting.

For Tomcat 6 I don't esee the need to change the default (which might 
even break applications). Instead such settings should be taken into 
account when setting up a Tomcat site.

For Squeeze you add a README.Debian or such pointing to the option
and the recommendation to use the option?


More information about the pkg-java-maintainers mailing list