The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow local users to change the ownership of arbitrary files via a symlink attack on (a) tomcat5-initd.log, (b) tomcat6-initd.log, (c) catalina.out, or (d) tomcat7-initd.log.

Updated tomcat6 and tomcat7 packages that fix one security issue are now available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat6 and tomcat7 init scripts handled the tomcat6-initd.log and tomcat7-initd.log log files. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log and tomcat7-initd.log have been moved to the /var/log/ directory.

Red Hat would like to thank Simon Fayer of Imperial College London for reporting this issue.

Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files).

Users of Tomcat should upgrade to these updated packages, which resolve this issue. Tomcat must be restarted for this update to take effect.

Tomcat was updated to fix security issues and bug: CVE-2013-1976:
Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root.

CVE-2013-2067:
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat did not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

CVE-2012-3544: Tomcat were affected by a chunked transfer encoding extension size denial of service vulnerability.

Also the following bug was fixed :

  - Fix tomcat init scripts generating malformed classpath     (http://youtrack.jetbrains.com/issue/JT-18545)     bnc#804992

Tomcat was updated to fix two security issues: CVE-2013-1976: Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root.

CVE-2013-2071:
java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x did not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Updated tomcat6 packages fix security vulnerabilities :

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service (CVE-2012-3544).

A frame injection in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc (CVE-2013-1571).

A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root (CVE-2013-1976).

It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials (CVE-2013-2067).

Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.

This update of tomcat6 fixes :

  - apache-tomcat-CVE-2012-3544.patch. (bnc#831119)

  - use chown --no-dereference to prevent symlink attacks on     log (bnc#822177#c7/prevents CVE-2013-1976)

  - Fix tomcat init scripts generating malformed classpath (     http://youtrack.jetbrains.com/issue/JT-18545 )     bnc#804992 (patch from m407)

  - fix a typo in initscript. (bnc#768772)

  - copy all shell scripts (bnc#818948)

From Red Hat Security Advisory 2013:0870 :

Updated tomcat5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat5 init script handled the catalina.out log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, /var/log/tomcat5/catalina.out has been moved to the /var/log/tomcat5-initd.log file.

Red Hat would like to thank Simon Fayer of Imperial College London for reporting this issue.

Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.

From Red Hat Security Advisory 2013:0869 :

Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.

It was found that the RHSA-2013:0623 update did not correctly fix CVE-2012-5887, a weakness in the Tomcat DIGEST authentication implementation. A remote attacker could use this flaw to perform replay attacks in some circumstances. Additionally, this problem also prevented users from being able to authenticate using DIGEST authentication. (CVE-2013-2051)

Red Hat would like to thank Simon Fayer of Imperial College London for reporting the CVE-2013-1976 issue.

Users of Tomcat are advised to upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.

Updated tomcat5 and tomcat6 packages that fix one security issue are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat5 and tomcat6 init scripts handled the tomcat5-initd.log and tomcat6-initd.log log files. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat5-initd.log and tomcat6-initd.log have been moved to the /var/log/ directory.

Red Hat would like to thank Simon Fayer of Imperial College London for reporting this issue.

Warning: Before applying the update, back up your existing JBoss Enterprise Web Server installation (including all applications and configuration files).

Users of Tomcat should upgrade to these updated packages, which resolve this issue. Tomcat must be restarted for this update to take effect.

Updated tomcat5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat5 init script handled the catalina.out log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, /var/log/tomcat5/catalina.out has been moved to the /var/log/tomcat5-initd.log file.

Red Hat would like to thank Simon Fayer of Imperial College London for reporting this issue.

Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.

Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.

It was found that the RHSA-2013:0623 update did not correctly fix CVE-2012-5887, a weakness in the Tomcat DIGEST authentication implementation. A remote attacker could use this flaw to perform replay attacks in some circumstances. Additionally, this problem also prevented users from being able to authenticate using DIGEST authentication. (CVE-2013-2051)

Red Hat would like to thank Simon Fayer of Imperial College London for reporting the CVE-2013-1976 issue.

Users of Tomcat are advised to upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.

A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.

It was found that the SLSA-2013:0623 update did not correctly fix CVE-2012-5887, a weakness in the Tomcat DIGEST authentication implementation. A remote attacker could use this flaw to perform replay attacks in some circumstances. Additionally, this problem also prevented users from being able to authenticate using DIGEST authentication. (CVE-2013-2051)

Tomcat must be restarted for this update to take effect.

A flaw was found in the way the tomcat5 init script handled the catalina.out log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, /var/log/tomcat5/catalina.out has been moved to the /var/log/tomcat5-initd.log file.

Tomcat must be restarted for this update to take effect.

ID	Name	Product	Family	Severity
76236	RHEL 5 / 6 : JBoss Web Server (RHSA-2013:0871)	Nessus	Red Hat Local Security Checks	medium
75107	openSUSE Security Update : tomcat (openSUSE-SU-2013:1307-1)	Nessus	SuSE Local Security Checks	medium
75106	openSUSE Security Update : tomcat (openSUSE-SU-2013:1306-1)	Nessus	SuSE Local Security Checks	medium
72595	Mandriva Linux Security Advisory : tomcat6 (MDVSA-2014:042)	Nessus	Mandriva Local Security Checks	medium
69754	Amazon Linux AMI : tomcat6 (ALAS-2013-196)	Nessus	Amazon Linux Local Security Checks	medium
69458	SuSE 11.2 / 11.3 Security Update : tomcat6 (SAT Patch Numbers 8155 / 8156)	Nessus	SuSE Local Security Checks	medium
68828	Oracle Linux 5 : tomcat5 (ELSA-2013-0870)	Nessus	Oracle Linux Local Security Checks	medium
68827	Oracle Linux 6 : tomcat6 (ELSA-2013-0869)	Nessus	Oracle Linux Local Security Checks	medium
66690	RHEL 5 / 6 : tomcat5 and tomcat6 (RHSA-2013:0872)	Nessus	Red Hat Local Security Checks	medium
66675	CentOS 5 : tomcat5 (CESA-2013:0870)	Nessus	CentOS Local Security Checks	medium
66674	CentOS 6 : tomcat6 (CESA-2013:0869)	Nessus	CentOS Local Security Checks	medium
66665	Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20130528)	Nessus	Scientific Linux Local Security Checks	medium
66664	Scientific Linux Security Update : tomcat5 on SL5.x i386/x86_64 (20130528)	Nessus	Scientific Linux Local Security Checks	medium
66661	RHEL 5 : tomcat5 (RHSA-2013:0870)	Nessus	Red Hat Local Security Checks	medium
66660	RHEL 6 : tomcat6 (RHSA-2013:0869)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2013-1976

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium