Bug 1420125

Summary: CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
Product: [Fedora] Fedora EPEL Reporter: John Jasen <jjasen>
Component: tomcatAssignee: Coty Sutherland <csutherl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: el6CC: alee, coolsvap, csutherl, fnasser, gzaronik, ivan.afonichev, java-sig-commits, jclere, jdoyle, krzysztof.daniel, lgao, mbabacek, myarboro, security-response-team, thoger, trick, twalsh, weli
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20161010,reported=20160809,source=redhat,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-284,rhel-5/tomcat5=affected,rhel-6/tomcat6=affected,rhel-7/tomcat=affected/cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N/impact=low,fedora-all/tomcat=affected,epel-6/tomcat=affected,jbews-2/tomcat=wontfix,jbews-3/tomcat=defer,jws-3/tomcat7=affected,jws-3/tomcat8=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: CVE-2016-6325 Environment:
Last Closed: 2017-02-08 09:00:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1367447    

Description John Jasen 2017-02-07 22:24:34 UTC
+++ This bug was initially created as a clone of Bug #1367447 +++

It was discovered that Tomcat packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/tomcat configuration files.  The file is writable to tomcat group (root:tomcat, 664).  On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the Tomcat init script and its content executed with root privileges when Tomcat service is started, stopped or restarted.

On Red Hat Enterprise Linux 7 using systemd, the file is not longer directly executed with root privileges, but it's still used to initialize environment for the Tomcat service.  This would not allow a malicious or compromised web application deployed on Tomcat and already running with tomcat user privileges to directly escalate privileges.

--- Additional comment from Tomas Hoger on 2016-08-16 08:33:17 EDT ---

Acknowledgments:

Name: Red Hat Product Security

--- Additional comment from Tomas Hoger on 2016-08-16 09:15:52 EDT ---

In addition to /etc/sysconfig/tomcat, the same applies to /etc/tomcat/tomcat.conf which is also sourced by Tomcat init script.

Note that Tomcat package name vary between Red Hat Enterprise Linux versions, which also means these configuration files have slightly different names on different OS versions.

Red Hat Enterprise Linux 7:
/etc/sysconfig/tomcat
/etc/tomcat/tomcat.conf

Red Hat Enterprise Linux 6:
/etc/sysconfig/tomcat6
/etc/tomcat6/tomcat6.conf

Red Hat Enterprise Linux 5:
/etc/sysconfig/tomcat5
/etc/tomcat5/tomcat5.conf

--- Additional comment from Tomas Hoger on 2016-08-18 06:54:20 EDT ---

Note that to properly fix this, we'll also need to fix permissions of the /etc/tomcat directory.  As the directory is usually created as writable to tomcat user or group, even if tomcat.conf inside it is not tomcat writable, it is still possible to remove and re-create the file.

--- Additional comment from Tomas Hoger on 2016-09-16 10:19:52 EDT ---

This issue can be mitigated by manually changing permissions of configuration files and directories.  The following commands should be invoked as root.  Note that the file permissions may be changed again on the next package upgrade.


Red Hat Enterprise Linux 7, tomcat packages:

# chown root /etc/tomcat/tomcat.conf
# chmod 644 /etc/sysconfig/tomcat /etc/tomcat/tomcat.conf

Note that /etc/tomcat/ is not writeable to the tomcat user by default.


Red Hat Enterprise Linux 6, tomcat6 packages:

# chmod 755 /etc/tomcat6/
# chmod 644 /etc/sysconfig/tomcat6 /etc/tomcat6/tomcat6.conf


Red Hat Enterprise Linux 5, tomcat5 packages:

# chmod 755 /etc/tomcat5/

Note that /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf configuration files are already root-owned and not writeable to tomcat user.

--- Additional comment from Tomas Hoger on 2016-10-10 04:32:39 EDT ---

Lifting embargo after CVE-2016-5425 issue was made public - see bug 1362545 comment 10.

--- Additional comment from Tomas Hoger on 2016-10-10 04:36:09 EDT ---


Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383216]

--- Additional comment from errata-xmlrpc on 2016-10-10 16:42:03 EDT ---

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html

--- Additional comment from errata-xmlrpc on 2016-10-10 16:44:02 EDT ---

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 1 John Jasen 2017-02-07 22:25:49 UTC
From a cursory review of tomcat packages from EPEL, the changelog does not make it clear whether this bug was addressed.

Comment 2 Andrej Nemec 2017-02-08 09:00:03 UTC
Thanks for pointing this out. Please don't clone parent security bugs for issues such as these.

I have filed 1420223 as an epel-6 tracker for tomcat.

*** This bug has been marked as a duplicate of bug 1420223 ***