SAP Knowledge Base Article - Preview

2218672 - How to overcome Apache Tomcat CVE-2013-2067 Session Fixation Vulnerability affecting Apache Tomcat installed with SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1


  • Apache Team has found that the java/org/apache/catalina/authenticator/ in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
  • FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.



  • SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1.
  • All supported OS.
  • Tomcat (6, 7) (Versions which are mentioned in symptoms)


SAP BusinessObjects Business Intelligence platform 4.0 ; SAP BusinessObjects Business Intelligence platform 4.1


Tomcat, BI, 4.x, 4.0, 4.1, multiple, vulnerabilities, Apache, security, CVE, 7, 6, cve-2013-2067, Session, Fixation, , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , BI-BIP-INS , Installation, Updates, Upgrade, Patching , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.