CVE-2016-1240
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
-Decision
Descriptions
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
El inicio de secuencia de comandos de Tomcat en el paquete tomcat7 en versiones anteriores 7.0.56-3+deb8u4 y el paquete tomcat8 en versiones anteriores 8.0.14-1+deb8u3 en Debian jessie y los paquetes tomcat6 y libtomcat6-java en versiones anteriores 6.0.35-1ubuntu3.8 en Ubuntu 12.04 LTS, los paquetes tomcat7 y libtomcat7-java en versiones anteriores 7.0.52-1ubuntu0.7 en Ubuntu 14.04 LTS y los paquetes tomcat8 y libtomcat8-java en versiones anteriores 8.0.32-1ubuntu1.2 en Ubuntu 16.04 LTS permite a usuarios locales con acceso a la cuenta tomcat obtener privilegios de root a través de un ataque de enlace simbólico en archivo de registro Catalina, según lo demostrado por /var/log/tomcat7/catalina.out.
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements. Multiple security issues have been addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-12-27 CVE Reserved
- 2016-09-16 CVE Published
- 2016-10-02 First Exploit
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-284: Improper Access Control
CAPEC
References (20)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/170857 | 2023-02-06 | |
| https://packetstorm.news/files/id/138940 | 2016-10-02 | |
| https://www.exploit-db.com/exploits/40450 | 2024-08-05 | |
| https://github.com/Naramsim/Offensive | 2018-09-01 | |
| https://github.com/mhe18/CVE_Project | 2019-01-30 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2017-0457.html | 2023-02-06 | |
| http://www.debian.org/security/2016/dsa-3669 | 2023-02-06 | |
| http://www.debian.org/security/2016/dsa-3670 | 2023-02-06 | |
| http://www.ubuntu.com/usn/USN-3081-1 | 2023-02-06 | |
| https://access.redhat.com/errata/RHSA-2017:0455 | 2023-02-06 | |
| https://access.redhat.com/errata/RHSA-2017:0456 | 2023-02-06 | |
| https://security.gentoo.org/glsa/201705-09 | 2023-02-06 | |
| https://access.redhat.com/security/cve/CVE-2016-1240 | 2017-03-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1376712 | 2017-03-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0 Search vendor "Apache" for product "Tomcat" and version "6.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0 Search vendor "Apache" for product "Tomcat" and version "6.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0 Search vendor "Apache" for product "Tomcat" and version "6.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 7.0 Search vendor "Apache" for product "Tomcat" and version "7.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 7.0 Search vendor "Apache" for product "Tomcat" and version "7.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 7.0 Search vendor "Apache" for product "Tomcat" and version "7.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0 Search vendor "Apache" for product "Tomcat" and version "8.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0 Search vendor "Apache" for product "Tomcat" and version "8.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0 Search vendor "Apache" for product "Tomcat" and version "8.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 7.0 Search vendor "Apache" for product "Tomcat" and version "7.0" | - |
Affected
| in | Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 8.0 Search vendor "Apache" for product "Tomcat" and version "8.0" | - |
Affected
| in | Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Safe
|