Article - CS162988
Security Vulnerability in Apache Tomcat when using Tomcat to provide Forms Based Authentication in Windchill
Modified: 11-Apr-2016
Applies To
- Windchill PDMLink 9.1 to 10.1
Description
- Windchill customers should be aware of a security vulnerability in older versions of Apache Tomcat when using Tomcat for Forms Based Authentication
- Older releases of Tomcat are vulnerable to an issue that may allow an attacker to hijack a session and gain unauthorized access to Windchill
- This issue only affects customers that have implemented Forms Based Authentication using a login.jsp in Tomcat that uses the Tomcat authentication mechanism
- Windchill has only supported Forms Based Authentication since 10.1 M010
- Note: Windchill does not provide this configuration out of the box
- Customization is required by the customer to implement Forms Based Authentication in this manner.
- For Additional information on Forms Based Authentication see Configuring an Alternative Authentication in Windchill in the Windchill Help Center
- The details on the vulnerability can be found here http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2067
- This issue affects Tomcat 7.0.0 through 7.0.32 and Tomcat 6.0.0 through 6.0.36
This is a printer-friendly version of Article 162988 and may be out of date. For the latest version click CS162988