Tomcat: Insecure installation

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200408-15 / tomcat
Release Date	August 15, 2004
Latest Revision	May 22, 2006: 04
Impact	normal
Exploitable	local

Package	Vulnerable versions	Unaffected versions	Architecture(s)
www-servers/tomcat	< 5.0.27-r3	>= 5.0.27-r3, revision >= 4.1.30-r4, revision >= 3.3.2-r2	All supported architectures

Related bugreports: #59232

Synopsis

Improper file ownership may allow a member of the tomcat group to execute scripts as root.

2. Impact Information

Background

Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages.

Description

The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started. This may allow a member of the tomcat group to run arbitrary code with root privileges when the Tomcat init scripts are run.

Impact

This could lead to a local privilege escalation or root compromise by authenticated users.

3. Resolution Information

Workaround

Users may change the ownership of /etc/init.d/tomcat* and /etc/conf.d/tomcat* to be root:root:

Code Listing 3.1: Workaround

# chown -R root:root /etc/init.d/tomcat*
# chown -R root:root /etc/conf.d/tomcat*

Resolution

All Tomcat users can upgrade to the latest stable version, or simply apply the workaround:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=www-servers/tomcat-5.0.27-r3"
# emerge ">=www-servers/tomcat-5.0.27-r3"

4. References

CVE-2004-1452

Page updated August 15, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.