edit-icon download-icon

[Vulnerability notice] CVE-2016-1240: Local permission escalation vulnerability in Tomcat

Last Updated: Nov 23, 2017

Description

Linux administrators of Debian systems usually use apt-get for packet management. When installed with a deb package, Tomcat automatically creates a startup script (/etc/init.d/tomcat*) for the administrator. Attackers may exploit this script to gain system root permissions using a lower-permission Tomcat user account.

Local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell and so on) can escalate their privileges from tomcat user to root and fully compromise the target system.

Affected versions

  • Tomcat 8 <= 8.0.36-2
  • Tomcat 7 <= 7.0.70-2
  • Tomcat 6 <= 6.0.45 + dfsg-1 ~ deb8u1

Affected systems include Debian and Ubuntu. Other systems using the affected debian packages may also be affected.

Fix

  • Update Tomcat to the latest version.

  • Considering the risk of updating packages, you can first add the -h parameter to Tomcat’s startup script to prevent changes to the owners of other files.

    1. chown -h $TOMCAT6_USER $CATALINA_PID $CATALINA_BASE”/logs/catalina.out

Learn more: http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

Thank you! We've received your feedback.