Bug 1852863 (CVE-2020-8022)

Summary: CVE-2020-8022 tomcat: /usr/lib/tmpfiles.d/tomcat.conf is group-writable
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, etirelli, ggaughan, gmalinko, gzaronik, huwang, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jochrist, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, lgao, lhh, lpeer, lthon, mbabacek, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rrajasek, rruss, rstancel, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tom.jenkinson, vhalbert, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-08 01:27:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1852864    

Description Guilherme de Almeida Suckevicz 2020-07-01 13:31:05 UTC 
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

Reference:
https://bugzilla.suse.com/show_bug.cgi?id=1172405
Comment 1 Paramvir jindal 2020-07-02 07:38:46 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Data Grid 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 7 Product Security DevOps Team 2020-07-08 01:27:37 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8022
Comment 8 Product Security DevOps Team 2020-07-08 07:27:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8022
Comment 9 Anten Skrabec 2020-07-09 22:25:24 UTC 
Statement:

Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP14 and is only receiving security fixes for Important and Critical flaws.