Bug 1367447 (CVE-2016-6325)

Summary: CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, chazlett, coolsvap, csutherl, fnasser, gzaronik, ivan.afonichev, java-sig-commits, jclere, jdoyle, krzysztof.daniel, lgao, mbabacek, myarboro, security-response-team, trick, twalsh, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
 Story Points: ---
Clone Of:
: 1420125 (view as bug list) Environment:
Last Closed: 2017-06-01 02:30:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1368119, 1368120, 1368121, 1368122, 1383216, 1420125, 1420223    
Bug Blocks: 1362547, 1428325    

Description Tomas Hoger 2016-08-16 12:33:12 UTC 
It was discovered that Tomcat packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/tomcat configuration files.  The file is writable to tomcat group (root:tomcat, 664).  On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the Tomcat init script and its content executed with root privileges when Tomcat service is started, stopped or restarted.

On Red Hat Enterprise Linux 7 using systemd, the file is not longer directly executed with root privileges, but it's still used to initialize environment for the Tomcat service.  This would not allow a malicious or compromised web application deployed on Tomcat and already running with tomcat user privileges to directly escalate privileges.
Comment 1 Tomas Hoger 2016-08-16 12:33:17 UTC 
Acknowledgments:

Name: Red Hat Product Security
Comment 2 Tomas Hoger 2016-08-16 13:15:52 UTC 
In addition to /etc/sysconfig/tomcat, the same applies to /etc/tomcat/tomcat.conf which is also sourced by Tomcat init script.

Note that Tomcat package name vary between Red Hat Enterprise Linux versions, which also means these configuration files have slightly different names on different OS versions.

Red Hat Enterprise Linux 7:
/etc/sysconfig/tomcat
/etc/tomcat/tomcat.conf

Red Hat Enterprise Linux 6:
/etc/sysconfig/tomcat6
/etc/tomcat6/tomcat6.conf

Red Hat Enterprise Linux 5:
/etc/sysconfig/tomcat5
/etc/tomcat5/tomcat5.conf
Comment 3 Tomas Hoger 2016-08-18 10:54:20 UTC 
Note that to properly fix this, we'll also need to fix permissions of the /etc/tomcat directory.  As the directory is usually created as writable to tomcat user or group, even if tomcat.conf inside it is not tomcat writable, it is still possible to remove and re-create the file.
Comment 12 Tomas Hoger 2016-09-16 14:19:52 UTC 
This issue can be mitigated by manually changing permissions of configuration files and directories.  The following commands should be invoked as root.  Note that the file permissions may be changed again on the next package upgrade.


Red Hat Enterprise Linux 7, tomcat packages:

# chown root /etc/tomcat/tomcat.conf
# chmod 644 /etc/sysconfig/tomcat /etc/tomcat/tomcat.conf

Note that /etc/tomcat/ is not writeable to the tomcat user by default.


Red Hat Enterprise Linux 6, tomcat6 packages:

# chmod 755 /etc/tomcat6/
# chmod 644 /etc/sysconfig/tomcat6 /etc/tomcat6/tomcat6.conf


Red Hat Enterprise Linux 5, tomcat5 packages:

# chmod 755 /etc/tomcat5/

Note that /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf configuration files are already root-owned and not writeable to tomcat user.
Comment 16 Tomas Hoger 2016-10-10 08:32:39 UTC 
Lifting embargo after CVE-2016-5425 issue was made public - see bug 1362545 comment 10.
Comment 17 Tomas Hoger 2016-10-10 08:36:09 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383216]
Comment 18 errata-xmlrpc 2016-10-10 20:42:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
Comment 19 errata-xmlrpc 2016-10-10 20:44:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
Comment 20 Coty Sutherland 2017-02-07 23:40:43 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-epel6 [bug 1420125]
Comment 21 Andrej Nemec 2017-02-08 08:58:02 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1420223]
Comment 22 errata-xmlrpc 2017-03-07 19:07:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 23 errata-xmlrpc 2017-03-07 19:12:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 24 errata-xmlrpc 2017-03-07 19:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455