How To Apply Patch For Session Fixation Via HTTP POST Request (Doc ID 1504970.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Communications Converged Application Server - Version 4.0.0 and later
Information in this document applies to any platform.

Goal

Oracle WebLogic servlet session cookie can be fixated via HTTP POST request. This type of session fixation attack has been confirmed with different session descriptor elements. In particular, the attack has also been confirmed with the session descriptor element <url-rewriting-enabled> set to “False”. Such setting prevents session fixation attack via HTTP GET request but fails to mitigate session fixation attacks performed over HTTP POST.

Is there a fix for Session Fixation Via HTTP POST Request (CVE-2010-4437)?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms