Session Management Flaw in Novell Access Manager 3 SP4
CVE-2008-6722

Currently unrated

Key Information:

Vendor: Novell
Status: Access Manager
Vendor: CVE Published:; 14 April 2009

Summary

The vulnerability in Novell Access Manager 3 SP4 arises from improper expiration of X.509 certificate sessions. This flaw enables attackers who are physically close to the victim to exploit a logged-in session through the victim's web browser process. The browser may continue to send an unexpired and valid SSL sessionID, leading to unauthorized access. The issue is particularly related to the inability of Apache Tomcat to remove entries from its SSL cache, further exacerbating the vulnerability.

References

http://osvdb.org/49737

vdb-entryx_refsource_OSVDB

http://secunia.com/advisories/32554

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/bid/32121

vdb-entryx_refsource_BID

Timeline

Vulnerability published
Apr 14, 2009
Vulnerability Reserved
Apr 14, 2009