vulnerability

Oracle Linux: CVE-2016-5425: ELSA-2016-2046: tomcat security update (IMPORTANT)

Severity
6
CVSS
(AV:L/AC:H/Au:S/C:C/I:C/A:C)
Published
Oct 10, 2016
Added
Oct 11, 2016
Modified
Nov 29, 2024

Description

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.

Solution(s)

oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-2-2-apioracle-linux-upgrade-tomcat-javadocoracle-linux-upgrade-tomcat-jsp-2-2-apioracle-linux-upgrade-tomcat-jsvcoracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-3-0-apioracle-linux-upgrade-tomcat-webapps
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.