Bug 1376712 - (CVE-2016-1240) CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
CVE-2016-1240 tomcat: unsafe chown of catalina.log in tomcat init script allo...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160915,repo...
: Security
Depends On: 1470472 1376716 1376718
Blocks: 1362547 1428325
  Show dependency treegraph
 
Reported: 2016-09-16 04:38 EDT by Andrej Nemec
Modified: 2017-08-08 20:05 EDT (History)
79 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Debian patch for tomcat7 (3.32 KB, patch)
2016-09-16 04:43 EDT, Tomas Hoger
no flags Details | Diff
Debian patch for tomcat8 (3.22 KB, patch)
2016-09-16 04:44 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Andrej Nemec 2016-09-16 04:38:06 EDT
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

References:

http://seclists.org/bugtraq/2016/Sep/26
Comment 1 Tomas Hoger 2016-09-16 04:42:14 EDT
Debian advisories for tomcat7 and tomcat8 for this CVE:

https://www.debian.org/security/2016/dsa-3669
https://www.debian.org/security/2016/dsa-3670
Comment 2 Tomas Hoger 2016-09-16 04:43 EDT
Created attachment 1201569 [details]
Debian patch for tomcat7
Comment 3 Tomas Hoger 2016-09-16 04:44 EDT
Created attachment 1201570 [details]
Debian patch for tomcat8
Comment 4 Andrej Nemec 2016-09-16 04:46:14 EDT
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1376716]
Comment 5 Andrej Nemec 2016-09-16 04:48:42 EDT
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1376718]
Comment 6 Tomas Hoger 2016-09-16 05:00:11 EDT
This is the flaw description in the Debian packages changelog:

  * Fix CVE-2016-1240:
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.

Their init script used to chown catalina.out.  Brief look at initscripts for tomcat6 in Red Hat Enterprise Linux 6 and tomcat5 in Red Hat Enterprise Linux 5 suggest those scripts don't do any similar ownership change.  chown is only used to set owner of catalina.pid, created in /var/run/, which is not writeable to the tomcat user.
Comment 7 Tomas Hoger 2016-09-16 10:48:00 EDT
As noted above, Tomcat init scripts in Red Hat Enterprise Linux 5 and 6 do not attempt to chown catalina.out in a directory writeable to the tomcat user.

Tomcat packages in Red Hat Enterprise Linux 7 do not use init script, but use systemd service unit file.  There are no ownership changed done on Tomcat startup, and any start/stop actions for Tomcat on Red Hat Enterprise Linux 7 are executed directly under tomcat user and group and not with root privileges.  Hence Tomcat in Red Hat Enterprise Linux 7 is also unaffected.

Note that EPEL-6 tomcat packages are affected by this problem.
Comment 12 Tomas Hoger 2016-10-03 04:55:30 EDT
Reporter's advisory has now been published.

External References:

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt
Comment 13 errata-xmlrpc 2017-03-07 14:07:56 EST
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 14 errata-xmlrpc 2017-03-07 14:12:25 EST
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 15 errata-xmlrpc 2017-03-07 14:16:56 EST
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Comment 16 Kurt Seifried 2017-07-12 22:06:33 EDT
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1470472]

Note You need to log in before you can comment on or make changes to this bug.