CVE-2016-6325
tomcat: tomcat writable config files allow privilege escalation
Severity Score
7.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
El paquete Tomcat en Red Hat Enterprise Linux (RHEL) 5 hasta la versión 7, JBoss Web Server 3.0 y JBoss EWS 2 utiliza permisos débiles para (1) /etc/sysconfig/tomcat y (2) /etc/tomcat/tomcat.conf, lo que permite a usuarios locales obtener privilegios aprovechando su pertenencia al grupo tomcat.
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2016-07-26 CVE Reserved
- 2016-10-12 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-284: Improper Access Control
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/93478 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2045.html | 2023-02-12 | |
| http://rhn.redhat.com/errata/RHSA-2016-2046.html | 2023-02-12 | |
| http://rhn.redhat.com/errata/RHSA-2017-0457.html | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:0455 | 2023-02-12 | |
| https://access.redhat.com/errata/RHSA-2017:0456 | 2023-02-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1367447 | 2017-03-07 | |
| https://access.redhat.com/security/cve/CVE-2016-6325 | 2017-03-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Jboss Enterprise Web Server Search vendor "Redhat" for product "Jboss Enterprise Web Server" | 2.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Server" and version "2.0.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Jboss Web Server Search vendor "Redhat" for product "Jboss Web Server" | 3.0 Search vendor "Redhat" for product "Jboss Web Server" and version "3.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Hpc Node Search vendor "Redhat" for product "Enterprise Linux Hpc Node" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "6.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Hpc Node Search vendor "Redhat" for product "Enterprise Linux Hpc Node" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "7.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Hpc Node Eus Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus" | 7.2 Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus" and version "7.2" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus" | 7.2 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.2" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.2 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.2" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0" | - |
Safe
|
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | - | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0" | - |
Safe
|