Hide Forgot
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. References: http://seclists.org/bugtraq/2016/Sep/26
Debian advisories for tomcat7 and tomcat8 for this CVE: https://www.debian.org/security/2016/dsa-3669 https://www.debian.org/security/2016/dsa-3670
Created attachment 1201569 [details] Debian patch for tomcat7
Created attachment 1201570 [details] Debian patch for tomcat8
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1376716]
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1376718]
This is the flaw description in the Debian packages changelog: * Fix CVE-2016-1240: tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink attacks and a possible root privilege escalation. Their init script used to chown catalina.out. Brief look at initscripts for tomcat6 in Red Hat Enterprise Linux 6 and tomcat5 in Red Hat Enterprise Linux 5 suggest those scripts don't do any similar ownership change. chown is only used to set owner of catalina.pid, created in /var/run/, which is not writeable to the tomcat user.
As noted above, Tomcat init scripts in Red Hat Enterprise Linux 5 and 6 do not attempt to chown catalina.out in a directory writeable to the tomcat user. Tomcat packages in Red Hat Enterprise Linux 7 do not use init script, but use systemd service unit file. There are no ownership changed done on Tomcat startup, and any start/stop actions for Tomcat on Red Hat Enterprise Linux 7 are executed directly under tomcat user and group and not with root privileges. Hence Tomcat in Red Hat Enterprise Linux 7 is also unaffected. Note that EPEL-6 tomcat packages are affected by this problem.
Reporter's advisory has now been published. External References: http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Created jbossweb tracking bugs for this issue: Affects: openshift-1 [bug 1470472]