Bug 1362545 - (CVE-2016-5425) CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1362567 1362568 1383210
Blocks: 1362547
  Show dependency treegraph
Reported: 2016-08-02 09:16 EDT by Adam Mariš
Modified: 2016-10-10 16:44 EDT (History)
69 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Story Points: ---
Clone Of:
Last Closed: 2016-10-10 16:44:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-08-02 09:16:44 EDT
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

Comment 1 Adam Mariš 2016-08-02 09:17:37 EDT

Name: Dawid Golunski (http://legalhackers.com)
Comment 9 Adam Mariš 2016-10-10 04:14:44 EDT
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]
Comment 10 Adam Mariš 2016-10-10 04:15:40 EDT
Public via:

Comment 11 Steven Haigh 2016-10-10 05:19:53 EDT
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?
Comment 12 Michal Schmidt 2016-10-10 05:38:56 EDT
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.
Comment 13 errata-xmlrpc 2016-10-10 16:41:21 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html

Note You need to log in before you can comment on or make changes to this bug.