Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1362545 (CVE-2016-5425) - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Summary: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1362567 1362568 1383210
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 13:16 UTC by Adam Mariš
Modified: 2021-02-17 03:28 UTC (History)
69 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Clone Of:
Environment:
Last Closed: 2016-10-10 20:44:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2046 0 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC

Description Adam Mariš 2016-08-02 13:16:44 UTC 
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt
Comment 1 Adam Mariš 2016-08-02 13:17:37 UTC 
Acknowledgments:

Name: Dawid Golunski (http://legalhackers.com)
Comment 9 Adam Mariš 2016-10-10 08:14:44 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]
Comment 10 Adam Mariš 2016-10-10 08:15:40 UTC 
Public via:

http://seclists.org/oss-sec/2016/q4/78
Comment 11 Steven Haigh 2016-10-10 09:19:53 UTC 
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?
Comment 12 Michal Schmidt 2016-10-10 09:38:56 UTC 
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.
Comment 13 errata-xmlrpc 2016-10-10 20:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
Note You need to log in before you can comment on or make changes to this bug.