Bug 958618 (CVE-2013-2035)
| Summary: | CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | chazlett, chdh, grocha, jlieskov, jrusnack, mjc, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 11:00:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 957196, 961605, 962614, 962615, 962616, 962617, 1011318, 1050442, 1050443, 1050444, 1050445, 1050447, 1050448, 1050450, 1050451, 1050452, 1050453, 1050454, 1050455, 1050456, 1050457, 1075456, 1160702 | ||
| Bug Blocks: | 957570, 958349, 991853, 1012753, 1026176, 1059975, 1097027, 1139455, 1141957, 1145284, 1159080, 1159088 | ||
|
Description
David Jorm
2013-05-02 05:16:25 UTC
Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team. HawtJNI 1.8 has been released, incorporating a fix for this flaw. Several other components embed HawtJNI, potentially exposing this flaw. Jansi 1.11 has been released, embedding HawtJNI 1.8 and incorporating a fix for this flaw. JLine 2.11 has been released, embedding Jansi 1.11 and incorporating a fix for this flaw. JRuby 1.7.5 has been released, embedding JLine 2.1.1 and incorporating a fix for this flaw. Upstream patch commit: https://github.com/fusesource/hawtjni/commit/92c266170ce98edc200c656bd034a237098b8aa5 Upstream jline2 bug: https://github.com/jline/jline2/issues/85 Upstream JRuby bug: https://github.com/jruby/jruby/issues/732 Created jansi tracking bugs for this issue Affects: fedora-all [bug 962614] Created jruby tracking bugs for this issue Affects: fedora-all [bug 962617] This issue has been addressed in following products: Fuse MQ Enterprise 7.1.0 Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html Even when the file name of the native library in /tmp is generated using unpredictable random numbers, isn't it still possible to scan through the /tmp directory, find the file and modify or replace it? (In reply to Christian d'Heureuse from comment #12) > Even when the file name of the native library in /tmp is generated using > unpredictable random numbers, isn't it still possible to scan through the > /tmp directory, find the file and modify or replace it? The patch for this flaw also ensures that the temporary file is written by HawtJNI before it is read by HawtJNI, and that file permissions prevent a different user from overwriting this file. This means that an attacker cannot plant a malicious library in advance, and cannot overwrite the existing library after it has been created. This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.0 Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html This issue has been addressed in following products: Red Hat JBoss Data Grid 6.2.0 Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.0 Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html This issue has been addressed in following products: Red Hat JBoss AM-Q 6.1.0 Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html This issue has been addressed in following products: Red Hat JBoss Fuse 6.1.0 Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html This issue has been addressed in the following products: JBoss Operations Network 3.3.0 Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html This issue has been addressed in the following products: JBoss Fuse Service Works 6.0.0 Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html This issue has been addressed in the following products: JBoss Data Virtualization 6.0.0 Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html |