Bug 1367447 (CVE-2016-6325) - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
Summary: CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
Status: CLOSED ERRATA
Alias: CVE-2016-6325
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20161010,repo...
Keywords: Security
Depends On: 1368119 1368120 1368121 1368122 1383216 1420125 1420223
Blocks: 1362547 1428325
TreeView+ depends on / blocked
 
Reported: 2016-08-16 12:33 UTC by Tomas Hoger
Modified: 2019-06-08 21:23 UTC (History)
18 users (show)

(edit)
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Clone Of:
: 1420125 (view as bug list)
(edit)
Last Closed: 2017-06-01 02:30:54 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2045 normal SHIPPED_LIVE Important: tomcat6 security and bug fix update 2016-10-11 00:38:52 UTC
Red Hat Product Errata RHSA-2016:2046 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC
Red Hat Product Errata RHSA-2017:0455 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:40 UTC
Red Hat Product Errata RHSA-2017:0456 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:06 UTC
Red Hat Product Errata RHSA-2017:0457 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and enhancement update 2017-03-08 00:05:59 UTC

Description Tomas Hoger 2016-08-16 12:33:12 UTC
It was discovered that Tomcat packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/tomcat configuration files.  The file is writable to tomcat group (root:tomcat, 664).  On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the Tomcat init script and its content executed with root privileges when Tomcat service is started, stopped or restarted.

On Red Hat Enterprise Linux 7 using systemd, the file is not longer directly executed with root privileges, but it's still used to initialize environment for the Tomcat service.  This would not allow a malicious or compromised web application deployed on Tomcat and already running with tomcat user privileges to directly escalate privileges.

Comment 1 Tomas Hoger 2016-08-16 12:33:17 UTC
Acknowledgments:

Name: Red Hat Product Security

Comment 2 Tomas Hoger 2016-08-16 13:15:52 UTC
In addition to /etc/sysconfig/tomcat, the same applies to /etc/tomcat/tomcat.conf which is also sourced by Tomcat init script.

Note that Tomcat package name vary between Red Hat Enterprise Linux versions, which also means these configuration files have slightly different names on different OS versions.

Red Hat Enterprise Linux 7:
/etc/sysconfig/tomcat
/etc/tomcat/tomcat.conf

Red Hat Enterprise Linux 6:
/etc/sysconfig/tomcat6
/etc/tomcat6/tomcat6.conf

Red Hat Enterprise Linux 5:
/etc/sysconfig/tomcat5
/etc/tomcat5/tomcat5.conf

Comment 3 Tomas Hoger 2016-08-18 10:54:20 UTC
Note that to properly fix this, we'll also need to fix permissions of the /etc/tomcat directory.  As the directory is usually created as writable to tomcat user or group, even if tomcat.conf inside it is not tomcat writable, it is still possible to remove and re-create the file.

Comment 12 Tomas Hoger 2016-09-16 14:19:52 UTC
This issue can be mitigated by manually changing permissions of configuration files and directories.  The following commands should be invoked as root.  Note that the file permissions may be changed again on the next package upgrade.


Red Hat Enterprise Linux 7, tomcat packages:

# chown root /etc/tomcat/tomcat.conf
# chmod 644 /etc/sysconfig/tomcat /etc/tomcat/tomcat.conf

Note that /etc/tomcat/ is not writeable to the tomcat user by default.


Red Hat Enterprise Linux 6, tomcat6 packages:

# chmod 755 /etc/tomcat6/
# chmod 644 /etc/sysconfig/tomcat6 /etc/tomcat6/tomcat6.conf


Red Hat Enterprise Linux 5, tomcat5 packages:

# chmod 755 /etc/tomcat5/

Note that /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf configuration files are already root-owned and not writeable to tomcat user.

Comment 16 Tomas Hoger 2016-10-10 08:32:39 UTC
Lifting embargo after CVE-2016-5425 issue was made public - see bug 1362545 comment 10.

Comment 17 Tomas Hoger 2016-10-10 08:36:09 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383216]

Comment 18 errata-xmlrpc 2016-10-10 20:42:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html

Comment 19 errata-xmlrpc 2016-10-10 20:44:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 20 Coty Sutherland 2017-02-07 23:40:43 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-epel6 [bug 1420125]

Comment 21 Andrej Nemec 2017-02-08 08:58:02 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1420223]

Comment 22 errata-xmlrpc 2017-03-07 19:07:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html

Comment 23 errata-xmlrpc 2017-03-07 19:12:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456

Comment 24 errata-xmlrpc 2017-03-07 19:16:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455


Note You need to log in before you can comment on or make changes to this bug.