Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1362545 (CVE-2016-5425) - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Summary: CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
Alias: CVE-2016-5425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1362567 1362568 1383210
TreeView+ depends on / blocked
Reported: 2016-08-02 13:16 UTC by Adam Mariš
Modified: 2021-02-17 03:28 UTC (History)
69 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
Clone Of:
Last Closed: 2016-10-10 20:44:16 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2046 0 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC

Description Adam Mariš 2016-08-02 13:16:44 UTC
It was reported that Tomcat packages in Red Hat Enterprise Linux 7 are vulnerable to local privilege escalation from tomcat group user to root. Tomcat configuration file located at /usr/lib/tmpfiles.d/tomcat.conf can be modified by any user belonging to tomcat group. This file is used by /usr/bin/systemd-tmpfiles service to create temporary files.

As the systemd-tmpfiles service runs with root permissions, this enables the tomcat user to gain root privileges by editing the /usr/lib/tmpfiles.d/tomcat.conf file to contain a line which will cause the systemd-tmpfiles to create files within arbitrary system directory and arbitrary permissions.

External Reference:

Comment 1 Adam Mariš 2016-08-02 13:17:37 UTC

Name: Dawid Golunski (

Comment 9 Adam Mariš 2016-10-10 08:14:44 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1383210]

Comment 10 Adam Mariš 2016-10-10 08:15:40 UTC
Public via:

Comment 11 Steven Haigh 2016-10-10 09:19:53 UTC
Out of interest, would SELinux policy prevent the tomcat user from writing to this file anyway?

Comment 12 Michal Schmidt 2016-10-10 09:38:56 UTC
I'm afraid it won't. Query the SELinux policy:

$ sesearch --allow -s tomcat_t -t lib_t -c file -p write
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { [...] write [...] } ;

It appears tomcat_t has the files_unconfined_type attribute, which means the SELinux policy puts very little restrictions on it.

Comment 13 errata-xmlrpc 2016-10-10 20:41:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046

Note You need to log in before you can comment on or make changes to this bug.