Bug 1376712 (CVE-2016-1240) - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
Summary: CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-1240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1376716 1376718 1470472
Blocks: 1362547 1428325
TreeView+ depends on / blocked
 
Reported: 2016-09-16 08:38 UTC by Andrej Nemec
Modified: 2021-10-21 00:55 UTC (History)
65 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:55:14 UTC
Embargoed:

Attachments (Terms of Use)
Debian patch for tomcat7 (3.32 KB, patch)
2016-09-16 08:43 UTC, Tomas Hoger 		no flags Details | Diff
Debian patch for tomcat8 (3.22 KB, patch)
2016-09-16 08:44 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0455 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:40 UTC
Red Hat Product Errata RHSA-2017:0456 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:06 UTC
Red Hat Product Errata RHSA-2017:0457 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and enhancement update 2017-03-08 00:05:59 UTC

Description Andrej Nemec 2016-09-16 08:38:06 UTC 
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

References:

http://seclists.org/bugtraq/2016/Sep/26
Comment 1 Tomas Hoger 2016-09-16 08:42:14 UTC 
Debian advisories for tomcat7 and tomcat8 for this CVE:

https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670
Comment 2 Tomas Hoger 2016-09-16 08:43:44 UTC 
Created attachment 1201569 [details]
Debian patch for tomcat7
Comment 3 Tomas Hoger 2016-09-16 08:44:31 UTC 
Created attachment 1201570 [details]
Debian patch for tomcat8
Comment 4 Andrej Nemec 2016-09-16 08:46:14 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1376716]
Comment 5 Andrej Nemec 2016-09-16 08:48:42 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1376718]
Comment 6 Tomas Hoger 2016-09-16 09:00:11 UTC 
This is the flaw description in the Debian packages changelog:

  * Fix CVE-2016-1240:
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.

Their init script used to chown catalina.out.  Brief look at initscripts for tomcat6 in Red Hat Enterprise Linux 6 and tomcat5 in Red Hat Enterprise Linux 5 suggest those scripts don't do any similar ownership change.  chown is only used to set owner of catalina.pid, created in /var/run/, which is not writeable to the tomcat user.
Comment 7 Tomas Hoger 2016-09-16 14:48:00 UTC 
As noted above, Tomcat init scripts in Red Hat Enterprise Linux 5 and 6 do not attempt to chown catalina.out in a directory writeable to the tomcat user.

Tomcat packages in Red Hat Enterprise Linux 7 do not use init script, but use systemd service unit file.  There are no ownership changed done on Tomcat startup, and any start/stop actions for Tomcat on Red Hat Enterprise Linux 7 are executed directly under tomcat user and group and not with root privileges.  Hence Tomcat in Red Hat Enterprise Linux 7 is also unaffected.

Note that EPEL-6 tomcat packages are affected by this problem.
Comment 12 Tomas Hoger 2016-10-03 08:55:30 UTC 
Reporter's advisory has now been published.

External References:

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt
Comment 13 errata-xmlrpc 2017-03-07 19:07:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 14 errata-xmlrpc 2017-03-07 19:12:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 15 errata-xmlrpc 2017-03-07 19:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Comment 16 Kurt Seifried 2017-07-13 02:06:33 UTC 
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1470472]
Note You need to log in before you can comment on or make changes to this bug.