Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1362545 (CVE-2016-5425)

Summary: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, felias, fnasser, gvarsami, hfnukal, hhorak, jason.greene, jawilson, jclere, jcoleman, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, kconner, ldimaggi, lgao, lmeyer, mbabacek, mbaluch, miburman, mizdebsk, mmccomas, mnewsome, mschmidt, mweiler, myarboro, netwiz, nobody+bgollahe, nwallace, ohudlick, pavelp, pgier, psakar, pslavice, rnetuka, rsvoboda, rwagner, rzima, security-response-team, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 20:44:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1362567, 1362568, 1383210    
Bug Blocks:    

Description Adam Mariš 2016-08-02 13:16:44 UTC 
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt
Comment 1 Adam Mariš 2016-08-02 13:17:37 UTC 
Acknowledgments:

Name: Dawid Golunski (http://legalhackers.com)
Comment 9 Adam Mariš 2016-10-10 08:14:44 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]
Comment 10 Adam Mariš 2016-10-10 08:15:40 UTC 
Public via:

http://seclists.org/oss-sec/2016/q4/78
Comment 11 Steven Haigh 2016-10-10 09:19:53 UTC 
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?
Comment 12 Michal Schmidt 2016-10-10 09:38:56 UTC 
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.
Comment 13 errata-xmlrpc 2016-10-10 20:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html