01 · The Real Story
This is like planting a spare key in a lock only if the victim later grabs the exact reused doorknob you tampered with
This finding maps to CVE-2015-5346, a Tomcat session fixation bug caused by the requestedSessionSSL field not being recycled correctly when Tomcat reuses a Request object. For Tomcat 7, Apache says the affected range is 7.0.5 through 7.0.65; the fix shipped in 7.0.67 because the 7.0.66 release candidate never became a formal release. The bug matters only when at least one deployed application is configured to use the SSL session ID as the HTTP session ID, which Apache explicitly says is uncommon.
The vendor-style CVSS 8.1 / High overstates enterprise risk here. Apache itself rated it Low, and the vendor note explains why: the attacker cannot force the victim onto the 'correct' recycled Request object, so exploitation depends on both a rare configuration and a hard-to-control runtime condition. In practice this is not a front-door internet RCE; it is a narrow session hijack edge case with weak evidence of operational abuse.
"Low-priority edge case: uncommon config plus lucky request-object reuse, with no real-world exploitation signal."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find a Tomcat app using SSL session IDs for session tracking
The attacker first needs a Tomcat deployment in the vulnerable range and, critically, at least one webapp configured to use the SSL session ID as the HTTP session ID. Apache states this is not a common configuration. A tester would usually probe this with browser dev tools,
curl, or Burp Suite while watching whether session state binds to TLS-session behavior rather than normal cookie rotation.Conditions required:
- Tomcat 7.0.5-7.0.65
- HTTPS in use
- At least one application configured to use SSL session ID as HTTP session ID
Where this breaks in practice:
- Apache says this configuration is uncommon
- Many enterprises use standard cookie-backed
JSESSIONIDhandling instead - Load balancers and TLS termination often change session behavior and reduce reproducibility
Detection/coverage: Version scanners catch the product range, but they do not validate the uncommon session configuration prerequisite.
STEP 02
Manipulate request reuse on a live connector
The bug appears when Tomcat recycles a
Request object for a subsequent request without clearing requestedSessionSSL. The attacker has to drive traffic patterns that make the next request inherit the stale field in a useful way. Burp Repeater or custom keep-alive request tooling can help experiment, but the attacker still cannot deterministically pick which victim request lands on which recycled object.Conditions required:
- Ability to send repeated requests to the target over the same application path
- Connector behavior that reuses
Requestobjects in exploitable timing
Where this breaks in practice:
- Apache explicitly says the attacker cannot force the victim to use the 'correct'
Requestobject - Race and timing dependence make lab success hard to translate into production reliability
- High concurrency, proxies, and app-layer routing reduce attacker control further
Detection/coverage: No mainstream scanner proves this step. Expect weak log artifacts unless you already capture abnormal session-binding behavior in app telemetry.
STEP 03
Fixate a session identifier before victim authentication
If the stale session state lines up, the attacker attempts to pre-position a session identifier that the victim later authenticates under. This is classic session fixation, not direct auth bypass. The attacker still needs the victim to complete an authenticated workflow while tied to the attacker-influenced session context.
Conditions required:
- Victim must authenticate after fixation succeeds
- Application must not aggressively rotate session identifiers on login
Where this breaks in practice:
- Well-built applications rotate sessions after authentication
- User behavior and timing are outside attacker control
- MFA and risk-based auth can limit the value of a stolen session even if fixation lands
Detection/coverage: App logs may show odd session reuse across requests, but most environments do not alert specifically on session fixation patterns.
STEP 04
Use the hijacked session
The end state is account session hijacking within the affected application. The blast radius is the privileges of that victim session, not host-level code execution or broad unauthenticated server compromise. That makes impact very context-dependent and usually confined to one application tenant or user account.
Conditions required:
- Successful fixation against a real user session
- Session remains valid and accepted by the application
Where this breaks in practice:
- Short session lifetimes, re-auth prompts, and device binding reduce usefulness
- Impact is limited to application-level access rather than server takeover
Detection/coverage: EDR will usually see nothing. Detection is primarily in web-session analytics, impossible-travel/session anomalies, and account-behavior monitoring.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No authoritative exploitation signal found. CVE-2015-5346 does not appear in the CISA KEV catalog, and Tenable's plugin still says 'No known exploits are available.' |
|---|---|
| Proof-of-concept availability | There is a public Packet Storm reference linked by NVD, but reviewed sources do not show a widely used turnkey exploit chain. |
| EPSS | Use the live FIRST EPSS API for current scoring in your workflow. This reassessment did not depend on EPSS because the exploit chain is dominated by configuration and runtime friction. |
| KEV status | Not KEV-listed in the CISA catalog. No KEV due date applies. |
| CVSS vs reality | NVD scores it 8.1 / High with CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, but Apache rates it Low and says exploitation would be hard because the attacker cannot force reuse of the needed Request object. |
| Affected versions | Apache Tomcat 7 is affected from 7.0.5 through 7.0.65 according to the upstream advisory. NVD's broader wording says 'before 7.0.66,' but Apache clarifies the affected 7.x range more precisely. |
| Fixed versions | Upstream fix is Tomcat 7.0.67. Distro backports exist, including Ubuntu 14.04 tomcat7 7.0.52-1ubuntu0.6, Ubuntu 15.10 7.0.64-1ubuntu0.3, and Debian jessie 7.0.56-3+deb8u2. |
| Scanner/detection coverage | Tenable plugin 121118 is a version-only check: it says Nessus 'has not tested for this issue' and relies on the application's self-reported version. That is good for inventory triage, bad for exploitability confidence. |
| Exposure/scanning data | Public Tomcat 7 hosts still exist on the internet; for example, Shodan facet results show banners such as Apache Tomcat/7.0.65. But no reviewed authoritative source showed a CVE-2015-5346-specific scanning surge or campaign telemetry. |
| Disclosure and reporter | Apache says the Tomcat security team identified the issue on 2014-06-22 and made it public on 2016-02-22. NVD lists publication on 2016-02-24/25, depending on feed rendering. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (2.9/10)
The decisive factor is the rare prerequisite stack: vulnerable version plus an uncommon SSL-session-ID-based session configuration plus a hard-to-control recycled-request condition. That compound friction collapses the reachable population and makes this a poor candidate for opportunistic internet exploitation despite the inflated CVSS base score.
HIGH Technical understanding of the vulnerability mechanics and affected versions
HIGH Assessment that the vendor-style CVSS score overstates real-world enterprise risk
MEDIUM Internet exposure/scanning observations because CVE-specific telemetry is limited in public authoritative sources
Why this verdict
- Baseline down from 8.1/High: Apache, the product maintainer, rates this issue Low and explicitly calls exploitation hard.
- Major prerequisite friction: exploitation requires at least one webapp configured to use the SSL session ID as the HTTP session ID, which Apache says is not a common configuration.
- Runtime control is weak: the attacker cannot force the victim onto the needed recycled
Requestobject, so success depends on timing and connector reuse behavior rather than a reliable request/response primitive. - Impact is session hijack, not server compromise: even if it works, the outcome is application-session takeover with blast radius limited to the victim account or app context.
- Threat intel is quiet: no KEV listing, no reviewed campaign reporting, and Tenable still notes no known exploits.
Why not higher?
This does not behave like a clean unauthenticated remote exploit. The attack chain narrows sharply at each stage: uncommon configuration, timing-sensitive object reuse, and the need to convert fixation into a real victim-authenticated session. That is too much friction for a HIGH or CRITICAL operational priority.
Why not lower?
It is still a genuine remotely reachable security flaw in public-facing middleware, and the end state can be session hijacking of legitimate users. If you run legacy Tomcat with unusual session handling, the bug is not theoretical enough to ignore completely.
05 · Compensating Control
What to do — in priority order.
- Use cookie-only session tracking — Disable any application pattern that binds the HTTP session to the SSL session ID rather than normal cookie rotation. This directly removes the unusual prerequisite that makes CVE-2015-5346 matter; for a LOW verdict there is no SLA, so do this during normal hardening and configuration review.
- Rotate sessions on authentication — Ensure applications issue a fresh session identifier after login and privilege changes. That breaks the fixation-to-hijack transition even if a stale pre-auth session were influenced; for a LOW verdict, fold this into routine app-security hygiene rather than emergency change windows.
- Keep Tomcat admin surfaces internal — Limit Manager and Host Manager access to internal admin networks and authenticated operators only. It does not fix this CVE directly, but it reduces adjacent session abuse opportunities on the same legacy Tomcat estate; apply in the normal maintenance cycle.
- Shorten session lifetime for sensitive apps — Short session TTLs, re-authentication on sensitive actions, and device/risk checks reduce the value of any hijacked application session. This is a sensible hardening step for internet-facing Tomcat applications where patching is delayed.
What doesn't work
- A WAF is not a reliable control here because the issue is internal request-object state reuse, not a distinct malicious payload signature.
- Network segmentation alone does not help if the affected application is intentionally public-facing over HTTPS.
- EDR on the host usually will not see meaningful evidence because successful exploitation ends in application-session abuse rather than binary execution.
06 · Verification
Crowdsourced verification payload.
Run this on the target Tomcat host with local read access to the Tomcat installation. Invoke it as sudo bash check_cve_2015_5346.sh /opt/tomcat (replace with your CATALINA_HOME or CATALINA_BASE); root is not strictly required unless Tomcat files are permission-restricted. The script prints only VULNERABLE, PATCHED, or UNKNOWN.
#!/usr/bin/env bash
# check_cve_2015_5346.sh
# Determine likely exposure to CVE-2015-5346 for upstream Apache Tomcat 7.
# Outputs exactly one of: VULNERABLE, PATCHED, UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -u
TARGET="${1:-${CATALINA_HOME:-${CATALINA_BASE:-}}}"
if [[ -z "$TARGET" || ! -d "$TARGET" ]]; then
echo "UNKNOWN"
exit 2
fi
# If this looks like a distro-managed install, version strings may be backported and misleading.
if command -v dpkg-query >/dev/null 2>&1; then
if dpkg-query -W -f='${Package}\n' 2>/dev/null | grep -Eq '^(tomcat7|tomcat8|tomcat9|libtomcat)'; then
echo "UNKNOWN"
exit 2
fi
fi
if command -v rpm >/dev/null 2>&1; then
if rpm -qa 2>/dev/null | grep -Eiq '^(tomcat|apache-tomcat|jboss-web-server)'; then
echo "UNKNOWN"
exit 2
fi
fi
version=""
# Try version.sh first.
if [[ -x "$TARGET/bin/version.sh" ]]; then
version=$("$TARGET/bin/version.sh" 2>/dev/null | awk -F': ' '/Server version number/ {print $2; exit}')
fi
# Fallback to RELEASE-NOTES / RUNNING.txt / manifest-like files.
if [[ -z "$version" ]]; then
for f in "$TARGET/RELEASE-NOTES" "$TARGET/RUNNING.txt" "$TARGET/lib/catalina.jar"; do
if [[ -r "$f" ]]; then
v=$(strings "$f" 2>/dev/null | grep -Eo '7\.0\.[0-9]+' | head -n1)
if [[ -n "$v" ]]; then
version="$v"
break
fi
fi
done
fi
if [[ ! "$version" =~ ^7\.0\.[0-9]+$ ]]; then
echo "UNKNOWN"
exit 2
fi
patch=${version##*.}
# CVE-2015-5346 affects Tomcat 7.0.5 through 7.0.65 inclusive.
# 7.0.66 was a failed release candidate; upstream fixed release is 7.0.67.
if (( patch >= 5 && patch <= 65 )); then
echo "VULNERABLE"
exit 1
fi
if (( patch >= 67 )) || (( patch >= 0 && patch <= 4 )); then
echo "PATCHED"
exit 0
fi
# Any oddball 7.0.66 or unparseable edge case: treat as unknown for manual review.
echo "UNKNOWN"
exit 2
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: do not let this plugin jump the queue on its own merits. Validate whether any flagged hosts are actually upstream Tomcat 7.0.5-7.0.65 and whether any app uses SSL-session-ID-based session tracking; if not, document the downgrade and move on. For a LOW finding there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so fold patching into normal Tomcat lifecycle work rather than emergency change windows. If these systems are still on legacy Tomcat 7, use that broader platform-risk conversation to retire or upgrade them, but treat CVE-2015-5346 itself as a low-priority cleanup item.
Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.