Bug 2271114 (CVE-2024-22029)

Summary: CVE-2024-22029 tomcat: Escalation to root from tomcat user via %post script
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Tomcat package of OpenSUSE and derived distributions. This issue occurs due to incorrect permissions and a race condition in the %post section of the Tomcat RPM package, resulting in local privilege escalation when the Tomcat package is re-installed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271115    
Bug Blocks: 2271111    

Description Robb Gatica 2024-03-22 19:58:12 UTC 
A flaw demonstrating local privilege escalation from the default tomcat user/group to root was reported to SUSE. /usr/share/tomcat/tomcat-webapps is owned by root but writable for the tomcat group, which can potentially be exploited with specially crafted inputs/payload. PoC and explanation can be found in the below referenced bug. 

Affected versions:
< 9.0.85

References:
https://bugzilla.suse.com/show_bug.cgi?id=1219208
https://bz.apache.org/bugzilla/show_bug.cgi?id=68663
Comment 1 Robb Gatica 2024-03-22 20:02:23 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2271115]