Linux administrators of Debian systems usually use apt-get for packet management. When installed with a deb package, Tomcat automatically creates a startup script (
/etc/init.d/tomcat*) for the administrator. Attackers may exploit this script to gain system root permissions using a lower-permission Tomcat user account.
Local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell and so on) can escalate their privileges from tomcat user to root and fully compromise the target system.
- Tomcat 8 <= 8.0.36-2
- Tomcat 7 <= 7.0.70-2
- Tomcat 6 <= 6.0.45 + dfsg-1 ~ deb8u1
Affected systems include Debian and Ubuntu. Other systems using the affected debian packages may also be affected.
Update Tomcat to the latest version.
Considering the risk of updating packages, you can first add the
-hparameter to Tomcat’s startup script to prevent changes to the owners of other files.
chown -h $TOMCAT6_USER “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina.out