Bug 1376712 (CVE-2016-1240)

Summary: CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dimitris, dmcphers, dosoudil, epp-bugs, fnasser, gzaronik, hhorak, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jialiu, jokerman, jolee, jondruse, jorton, jpallich, jshepherd, kanderso, krzysztof.daniel, lgao, lmeyer, loleary, mbabacek, mbaluch, mizdebsk, mmccomas, mnewsome, mweiler, myarboro, nobody+bgollahe, nwallace, ohudlick, ppalaga, pslavice, psotirop, rnetuka, rstancel, rsvoboda, rzima, theute, ttarrant, twalsh, vondruch, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:55:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1376716, 1376718, 1470472    
Bug Blocks: 1362547, 1428325    
Attachments:
Description Flags
Debian patch for tomcat7
none
Debian patch for tomcat8 none

Description Andrej Nemec 2016-09-16 08:38:06 UTC 
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

References:

http://seclists.org/bugtraq/2016/Sep/26
Comment 1 Tomas Hoger 2016-09-16 08:42:14 UTC 
Debian advisories for tomcat7 and tomcat8 for this CVE:

https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670
Comment 2 Tomas Hoger 2016-09-16 08:43:44 UTC 
Created attachment 1201569 [details]
Debian patch for tomcat7
Comment 3 Tomas Hoger 2016-09-16 08:44:31 UTC 
Created attachment 1201570 [details]
Debian patch for tomcat8
Comment 4 Andrej Nemec 2016-09-16 08:46:14 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1376716]
Comment 5 Andrej Nemec 2016-09-16 08:48:42 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1376718]
Comment 6 Tomas Hoger 2016-09-16 09:00:11 UTC 
This is the flaw description in the Debian packages changelog:

  * Fix CVE-2016-1240:
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.

Their init script used to chown catalina.out.  Brief look at initscripts for tomcat6 in Red Hat Enterprise Linux 6 and tomcat5 in Red Hat Enterprise Linux 5 suggest those scripts don't do any similar ownership change.  chown is only used to set owner of catalina.pid, created in /var/run/, which is not writeable to the tomcat user.
Comment 7 Tomas Hoger 2016-09-16 14:48:00 UTC 
As noted above, Tomcat init scripts in Red Hat Enterprise Linux 5 and 6 do not attempt to chown catalina.out in a directory writeable to the tomcat user.

Tomcat packages in Red Hat Enterprise Linux 7 do not use init script, but use systemd service unit file.  There are no ownership changed done on Tomcat startup, and any start/stop actions for Tomcat on Red Hat Enterprise Linux 7 are executed directly under tomcat user and group and not with root privileges.  Hence Tomcat in Red Hat Enterprise Linux 7 is also unaffected.

Note that EPEL-6 tomcat packages are affected by this problem.
Comment 12 Tomas Hoger 2016-10-03 08:55:30 UTC 
Reporter's advisory has now been published.

External References:

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt
Comment 13 errata-xmlrpc 2017-03-07 19:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 14 errata-xmlrpc 2017-03-07 19:12:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 15 errata-xmlrpc 2017-03-07 19:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Comment 16 Kurt Seifried 2017-07-13 02:06:33 UTC 
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1470472]