Gentoo Logo

Tomcat: Insecure installation

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200408-15 / tomcat
Release Date August 15, 2004
Latest Revision May 22, 2006: 04
Impact normal
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
www-servers/tomcat < 5.0.27-r3 >= 5.0.27-r3, revision >= 4.1.30-r4, revision >= 3.3.2-r2 All supported architectures

Related bugreports: #59232

Synopsis

Improper file ownership may allow a member of the tomcat group to execute scripts as root.

2.  Impact Information

Background

Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages.

Description

The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started. This may allow a member of the tomcat group to run arbitrary code with root privileges when the Tomcat init scripts are run.

Impact

This could lead to a local privilege escalation or root compromise by authenticated users.

3.  Resolution Information

Workaround

Users may change the ownership of /etc/init.d/tomcat* and /etc/conf.d/tomcat* to be root:root:

Code Listing 3.1: Workaround

# chown -R root:root /etc/init.d/tomcat*
# chown -R root:root /etc/conf.d/tomcat*

Resolution

All Tomcat users can upgrade to the latest stable version, or simply apply the workaround:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=www-servers/tomcat-5.0.27-r3"
# emerge ">=www-servers/tomcat-5.0.27-r3"

4.  References



Print

Page updated August 15, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.