Vulnerability Details : CVE-2016-1240
Public exploit exists!
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2016-1240
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2016-1240
-
Apache Tomcat on Ubuntu Log Init Privilege Escalation
Disclosure Date: 2016-09-30First seen: 2023-09-11exploit/linux/local/tomcat_ubuntu_log_init_priv_escTomcat (6, 7, 8) packages provided by default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by
CVSS scores for CVE-2016-1240
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2016-1240
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1240
-
http://www.securitytracker.com/id/1036845
Apache Tomcat Unsafe chown Command in init Script Lets Local Users Obtain Root Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/93263
Apache Tomcat CVE-2016-1240 Local Privilege Escalation Vulnerability
-
https://access.redhat.com/errata/RHSA-2017:0456
RHSA-2017:0456 - Security Advisory - Red Hat Customer Portal
-
http://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.html
Apache Tomcat On Ubuntu Log Init Privilege Escalation ≈ Packet Storm
-
http://www.ubuntu.com/usn/USN-3081-1
USN-3081-1: Tomcat vulnerability | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/archive/1/539519/100/0/threaded
SecurityFocus
-
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240
-
http://rhn.redhat.com/errata/RHSA-2017-0457.html
RHSA-2017:0457 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2016/dsa-3669
Debian -- Security Information -- DSA-3669-1 tomcat7Third Party Advisory
-
https://security.gentoo.org/glsa/201705-09
Apache Tomcat: Multiple vulnerabilities (GLSA 201705-09) — Gentoo security
-
https://security.netapp.com/advisory/ntap-20180731-0002/
November 2017 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product Security
-
http://www.debian.org/security/2016/dsa-3670
Debian -- Security Information -- DSA-3670-1 tomcat8Third Party Advisory
-
https://www.exploit-db.com/exploits/40450/
Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
-
https://access.redhat.com/errata/RHSA-2017:0455
RHSA-2017:0455 - Security Advisory - Red Hat Customer Portal
Products affected by CVE-2016-1240
- cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*