Bug 958618 - (CVE-2013-2035) CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbitrary code execution
CVE-2013-2035 HawtJNI: predictable temporary file name leading to local arbit...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130513,reported=2...
: Security
Depends On: 957196 961605 962614 962615 962616 962617 1011318 1050442 1050443 1050444 1050445 1050447 1050448 1050450 1050451 1050452 1050453 1050454 1050455 1050456 1050457 1075456 1160702
Blocks: 957570 958349 991853 1012753 1026176 1059975 1097027 1139455 1141957 1145284 1159080 1159088
  Show dependency treegraph
 
Reported: 2013-05-02 01:16 EDT by David Jorm
Modified: 2015-02-15 16:58 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2013-05-02 01:16:25 EDT
IssueDescription:

The HawtJNI Library class wrote native libraries to a predictable file name in /tmp when the native libraries were bundled in a JAR file, and no custom library path was specified. A local attacker could overwrite these native libraries with malicious versions during the window between when HawtJNI writes them and when they are executed.
Comment 1 David Jorm 2013-05-03 00:49:07 EDT
Acknowledgements:

This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Comment 4 David Jorm 2013-05-13 21:42:24 EDT
HawtJNI 1.8 has been released, incorporating a fix for this flaw. Several other components embed HawtJNI, potentially exposing this flaw.

Jansi 1.11 has been released, embedding HawtJNI 1.8 and incorporating a fix for this flaw. 

JLine 2.11 has been released, embedding Jansi 1.11 and incorporating a fix for this flaw.

JRuby 1.7.5 has been released, embedding JLine 2.1.1 and incorporating a fix for this flaw.
Comment 8 David Jorm 2013-05-14 00:01:37 EDT
Created jansi tracking bugs for this issue

Affects: fedora-all [bug 962614]
Comment 9 David Jorm 2013-05-14 00:01:40 EDT
Created jruby tracking bugs for this issue

Affects: fedora-all [bug 962617]
Comment 10 errata-xmlrpc 2013-07-09 13:58:06 EDT
This issue has been addressed in following products:

  Fuse MQ Enterprise 7.1.0

Via RHSA-2013:1029 https://rhn.redhat.com/errata/RHSA-2013-1029.html
Comment 12 Christian d'Heureuse 2013-08-01 08:56:25 EDT
Even when the file name of the native library in /tmp is generated using unpredictable random numbers, isn't it still possible to scan through the /tmp directory, find the file and modify or replace it?
Comment 13 David Jorm 2013-08-01 22:07:11 EDT
(In reply to Christian d'Heureuse from comment #12)
> Even when the file name of the native library in /tmp is generated using
> unpredictable random numbers, isn't it still possible to scan through the
> /tmp directory, find the file and modify or replace it?

The patch for this flaw also ensures that the temporary file is written by HawtJNI before it is read by HawtJNI, and that file permissions prevent a different user from overwriting this file. This means that an attacker cannot plant a malicious library in advance, and cannot overwrite the existing library after it has been created.
Comment 15 errata-xmlrpc 2013-12-04 12:24:31 EST
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.0

Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html
Comment 16 errata-xmlrpc 2013-12-04 13:10:22 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html
Comment 17 errata-xmlrpc 2013-12-04 13:15:59 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html
Comment 21 errata-xmlrpc 2014-01-15 12:46:25 EST
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.0

Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html
Comment 22 errata-xmlrpc 2014-03-03 13:26:29 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html
Comment 23 errata-xmlrpc 2014-03-05 14:05:44 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html
Comment 24 errata-xmlrpc 2014-04-14 09:48:07 EDT
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 25 Chess Hazlett 2014-04-14 22:28:45 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 26 errata-xmlrpc 2014-09-23 16:20:02 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 27 errata-xmlrpc 2014-09-23 16:20:53 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 29 errata-xmlrpc 2014-11-25 11:48:39 EST
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.0

Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html
Comment 30 errata-xmlrpc 2014-12-15 15:35:52 EST
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 31 errata-xmlrpc 2015-01-12 12:32:49 EST
This issue has been addressed in the following products:

  JBoss Data Virtualization 6.0.0

Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html

Note You need to log in before you can comment on or make changes to this bug.