2218672 - How to overcome Apache Tomcat CVE-2013-2067 Session Fixation Vulnerability affecting Apache Tomcat installed with SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1

• Apache Team has found that the java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.
• FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.

• SAP BusinessObjects Business Intelligence Platform (BI) 4.0/4.1.
• All supported OS.
• Tomcat (6, 7) (Versions which are mentioned in symptoms)

Tomcat, BI, 4.x, 4.0, 4.1, multiple, vulnerabilities, Apache, security, CVE, 7, 6, cve-2013-2067, Session, Fixation, , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , BI-BIP-INS , Installation, Updates, Upgrade, Patching , Problem