http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html

RHSA-2016:2046

[oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.)

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

93472

1036979

40488

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities.

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The Expression Language (EL) implementation in Apache     Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x     before 8.0.16 does not properly consider the     possibility of an accessible interface implemented by     an inaccessible class, which allows attackers to bypass     a SecurityManager protection mechanism via a web     application that leverages use of incorrect privileges     during EL evaluation.(CVE-2014-7810)

  - Session fixation vulnerability in Apache Tomcat 7.x     before 7.0.66, 8.x before 8.0.30, and 9.x before     9.0.0.M2, when different session settings are used for     deployments of multiple versions of the same web     application, might allow remote attackers to hijack web     sessions by leveraging use of a requestedSessionSSL     field for an unintended request, related to     CoyoteAdapter.java and Request.java.(CVE-2015-5346)

  - Apache Tomcat through 8.5.4, when the CGI Servlet is     enabled, follows RFC 3875 section 4.1.18 and therefore     does not protect applications from the presence of     untrusted client data in the HTTP_PROXY environment     variable, which might allow remote attackers to     redirect an application's outbound HTTP traffic to an     arbitrary proxy server via a crafted Proxy header in an     HTTP request, aka an 'httpoxy' issue. NOTE: the vendor     states 'A mitigation is planned for future releases of     Tomcat, tracked as CVE-2016-5388'; in other words, this     is not a CVE ID for a vulnerability.(CVE-2016-5388)

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could     use this flaw to escalate their     privileges.(CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate     their privileges.(CVE-2016-6325)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa :

  - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets     environmental variable based on user supplied Proxy     request header

  - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794     CVE-2016-6796 CVE-2016-6797 tomcat: various flaws

and includes two additional CVE fixes along with one bug fix :

  - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege     escalation via systemd-tmpfiles service

  - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable     config files allow privilege escalation

  - rhbz#1370262 - catalina.out is no longer in use in the     main package, but still gets rotated

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could use     this flaw to escalate their privileges. (CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate their     privileges. (CVE-2016-6325)

  - It was found that the expression language resolver     evaluated expressions within a privileged code section.
    A malicious web application could use this flaw to     bypass security manager protections. (CVE-2014-7810)

  - It was discovered that tomcat used the value of the     Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which     in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP     requests. A remote attacker could possibly use this flaw     to redirect HTTP requests performed by a CGI script to     an attacker-controlled proxy via a malicious HTTP     request. (CVE-2016-5388)

  - A session fixation flaw was found in the way Tomcat     recycled the requestedSessionSSL field. If at least one     web application was configured to use the SSL session ID     as the HTTP session ID, an attacker could reuse a     previously used session ID for further requests.
    (CVE-2015-5346)

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es) :

* It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)

* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

From Red Hat Security Advisory 2016:2046 :

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es) :

* It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)

* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

ID	Name	Product	Family	Severity
112192	Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities	Nessus	CGI abuses	high
99812	EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)	Nessus	Huawei Local Security Checks	high
94997	Fedora 25 : 1:tomcat (2016-38e5b05260) (httpoxy)	Nessus	Fedora Local Security Checks	high
94748	Fedora 24 : 1:tomcat (2016-c1b01b9278) (httpoxy)	Nessus	Fedora Local Security Checks	high
94747	Fedora 23 : 1:tomcat (2016-4094bd4ad6) (httpoxy)	Nessus	Fedora Local Security Checks	high
94005	Scientific Linux Security Update : tomcat on SL7.x (noarch) (httpoxy)	Nessus	Scientific Linux Local Security Checks	high
93966	CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)	Nessus	CentOS Local Security Checks	high
93951	RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)	Nessus	Red Hat Local Security Checks	high
93948	Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)	Nessus	Oracle Linux Local Security Checks	high

CVE-2016-5425

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins