The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
issues.apache.org/bugzilla/show_bug.cgi?id=41217
lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
rhn.redhat.com/errata/RHSA-2008-0630.html
secunia.com/advisories/28549
secunia.com/advisories/28552
secunia.com/advisories/29242
secunia.com/advisories/31493
secunia.com/advisories/33668
security-tracker.debian.net/tracker/CVE-2008-0128
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
www.debian.org/security/2008/dsa-1468
www.redhat.com/support/errata/RHSA-2008-0261.html
www.securityfocus.com/archive/1/500396/100/0/threaded
www.securityfocus.com/archive/1/500412/100/0/threaded
www.securityfocus.com/bid/27365
www.vupen.com/english/advisories/2008/0192
www.vupen.com/english/advisories/2009/0233
exchange.xforce.ibmcloud.com/vulnerabilities/39804
lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E