It was discovered that Tomcat packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/tomcat configuration files. The file is writable to tomcat group (root:tomcat, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the Tomcat init script and its content executed with root privileges when Tomcat service is started, stopped or restarted. On Red Hat Enterprise Linux 7 using systemd, the file is not longer directly executed with root privileges, but it's still used to initialize environment for the Tomcat service. This would not allow a malicious or compromised web application deployed on Tomcat and already running with tomcat user privileges to directly escalate privileges.
Acknowledgments: Name: Red Hat Product Security
In addition to /etc/sysconfig/tomcat, the same applies to /etc/tomcat/tomcat.conf which is also sourced by Tomcat init script. Note that Tomcat package name vary between Red Hat Enterprise Linux versions, which also means these configuration files have slightly different names on different OS versions. Red Hat Enterprise Linux 7: /etc/sysconfig/tomcat /etc/tomcat/tomcat.conf Red Hat Enterprise Linux 6: /etc/sysconfig/tomcat6 /etc/tomcat6/tomcat6.conf Red Hat Enterprise Linux 5: /etc/sysconfig/tomcat5 /etc/tomcat5/tomcat5.conf
Note that to properly fix this, we'll also need to fix permissions of the /etc/tomcat directory. As the directory is usually created as writable to tomcat user or group, even if tomcat.conf inside it is not tomcat writable, it is still possible to remove and re-create the file.
This issue can be mitigated by manually changing permissions of configuration files and directories. The following commands should be invoked as root. Note that the file permissions may be changed again on the next package upgrade. Red Hat Enterprise Linux 7, tomcat packages: # chown root /etc/tomcat/tomcat.conf # chmod 644 /etc/sysconfig/tomcat /etc/tomcat/tomcat.conf Note that /etc/tomcat/ is not writeable to the tomcat user by default. Red Hat Enterprise Linux 6, tomcat6 packages: # chmod 755 /etc/tomcat6/ # chmod 644 /etc/sysconfig/tomcat6 /etc/tomcat6/tomcat6.conf Red Hat Enterprise Linux 5, tomcat5 packages: # chmod 755 /etc/tomcat5/ Note that /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf configuration files are already root-owned and not writeable to tomcat user.
Lifting embargo after CVE-2016-5425 issue was made public - see bug 1362545 comment 10.
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1383216]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
Created tomcat tracking bugs for this issue: Affects: fedora-epel6 [bug 1420125]
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1420223]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455