Bug 1376712 (CVE-2016-1240) - CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
Summary: CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allo...
Keywords:
Status: NEW
Alias: CVE-2016-1240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1376716 1376718 1470472
Blocks: 1362547 1428325
TreeView+ depends on / blocked
 
Reported: 2016-09-16 08:38 UTC by Andrej Nemec
Modified: 2019-09-29 13:56 UTC (History)
70 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
Debian patch for tomcat7 (3.32 KB, patch)
2016-09-16 08:43 UTC, Tomas Hoger
no flags Details | Diff
Debian patch for tomcat8 (3.22 KB, patch)
2016-09-16 08:44 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0455 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:40 UTC
Red Hat Product Errata RHSA-2017:0456 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:06 UTC
Red Hat Product Errata RHSA-2017:0457 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and enhancement update 2017-03-08 00:05:59 UTC

Description Andrej Nemec 2016-09-16 08:38:06 UTC
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

References:

http://seclists.org/bugtraq/2016/Sep/26

Comment 1 Tomas Hoger 2016-09-16 08:42:14 UTC
Debian advisories for tomcat7 and tomcat8 for this CVE:

https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670

Comment 2 Tomas Hoger 2016-09-16 08:43:44 UTC
Created attachment 1201569 [details]
Debian patch for tomcat7

Comment 3 Tomas Hoger 2016-09-16 08:44:31 UTC
Created attachment 1201570 [details]
Debian patch for tomcat8

Comment 4 Andrej Nemec 2016-09-16 08:46:14 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1376716]

Comment 5 Andrej Nemec 2016-09-16 08:48:42 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1376718]

Comment 6 Tomas Hoger 2016-09-16 09:00:11 UTC
This is the flaw description in the Debian packages changelog:

  * Fix CVE-2016-1240:
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.

Their init script used to chown catalina.out.  Brief look at initscripts for tomcat6 in Red Hat Enterprise Linux 6 and tomcat5 in Red Hat Enterprise Linux 5 suggest those scripts don't do any similar ownership change.  chown is only used to set owner of catalina.pid, created in /var/run/, which is not writeable to the tomcat user.

Comment 7 Tomas Hoger 2016-09-16 14:48:00 UTC
As noted above, Tomcat init scripts in Red Hat Enterprise Linux 5 and 6 do not attempt to chown catalina.out in a directory writeable to the tomcat user.

Tomcat packages in Red Hat Enterprise Linux 7 do not use init script, but use systemd service unit file.  There are no ownership changed done on Tomcat startup, and any start/stop actions for Tomcat on Red Hat Enterprise Linux 7 are executed directly under tomcat user and group and not with root privileges.  Hence Tomcat in Red Hat Enterprise Linux 7 is also unaffected.

Note that EPEL-6 tomcat packages are affected by this problem.

Comment 12 Tomas Hoger 2016-10-03 08:55:30 UTC
Reporter's advisory has now been published.

External References:

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt

Comment 13 errata-xmlrpc 2017-03-07 19:07:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html

Comment 14 errata-xmlrpc 2017-03-07 19:12:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456

Comment 15 errata-xmlrpc 2017-03-07 19:16:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455

Comment 16 Kurt Seifried 2017-07-13 02:06:33 UTC
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1470472]


Note You need to log in before you can comment on or make changes to this bug.