CVE-2016-1240

Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

El inicio de secuencia de comandos de Tomcat en el paquete tomcat7 en versiones anteriores 7.0.56-3+deb8u4 y el paquete tomcat8 en versiones anteriores 8.0.14-1+deb8u3 en Debian jessie y los paquetes tomcat6 y libtomcat6-java en versiones anteriores 6.0.35-1ubuntu3.8 en Ubuntu 12.04 LTS, los paquetes tomcat7 y libtomcat7-java en versiones anteriores 7.0.52-1ubuntu0.7 en Ubuntu 14.04 LTS y los paquetes tomcat8 y libtomcat8-java en versiones anteriores 8.0.32-1ubuntu1.2 en Ubuntu 16.04 LTS permite a usuarios locales con acceso a la cuenta tomcat obtener privilegios de root a través de un ataque de enlace simbólico en archivo de registro Catalina, según lo demostrado por /var/log/tomcat7/catalina.out.

It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

Apache Tomcat versions 8.0.36-2 and below, 7.0.70-2 and below, and 6.0.45+dfsg-1~deb8ul and below suffer from a local root privilege escalation vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-12-27 CVE Reserved
2016-09-16 CVE Published
2023-07-08 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-284: Improper Access Control

CAPEC

References (16)

URL	Tag	Source
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
http://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.html
http://www.securityfocus.com/archive/1/539519/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/93263	Vdb Entry
http://www.securitytracker.com/id/1036845	Third Party Advisory
https://security.netapp.com/advisory/ntap-20180731-0002

URL	Date	SRC
https://www.exploit-db.com/exploits/40450	2024-08-05

URL	Date	SRC

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2017-0457.html	2023-02-06
http://www.debian.org/security/2016/dsa-3669	2023-02-06
http://www.debian.org/security/2016/dsa-3670	2023-02-06
http://www.ubuntu.com/usn/USN-3081-1	2023-02-06
https://access.redhat.com/errata/RHSA-2017:0455	2023-02-06
https://access.redhat.com/errata/RHSA-2017:0456	2023-02-06
https://security.gentoo.org/glsa/201705-09	2023-02-06
https://access.redhat.com/security/cve/CVE-2016-1240	2017-03-07
https://bugzilla.redhat.com/show_bug.cgi?id=1376712	2017-03-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	6.0 Search vendor "Apache" for product "Tomcat" and version "6.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	6.0 Search vendor "Apache" for product "Tomcat" and version "6.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	6.0 Search vendor "Apache" for product "Tomcat" and version "6.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	7.0 Search vendor "Apache" for product "Tomcat" and version "7.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	7.0 Search vendor "Apache" for product "Tomcat" and version "7.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	7.0 Search vendor "Apache" for product "Tomcat" and version "7.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	8.0 Search vendor "Apache" for product "Tomcat" and version "8.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	8.0 Search vendor "Apache" for product "Tomcat" and version "8.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	8.0 Search vendor "Apache" for product "Tomcat" and version "8.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"	lts	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	7.0 Search vendor "Apache" for product "Tomcat" and version "7.0"	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	8.0 Search vendor "Apache" for product "Tomcat" and version "8.0"	-	Affected	in	Debian Search vendor "Debian"	Debian Linux Search vendor "Debian" for product "Debian Linux"	8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"	-	Safe