CVE-2016-5425 : The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Published 2016-10-13 14:59:08

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2016-5425

Apache » Tomcat » Version: N/A
cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*
Matching versions
When used together with: Oracle » Instantis Enterprisetrack » Version: 17.1
When used together with: Oracle » Instantis Enterprisetrack » Version: 17.2
When used together with: Oracle » Instantis Enterprisetrack » Version: 17.3
When used together with: Oracle » Linux » Version: 7
When used together with: Redhat » Enterprise Linux Desktop » Version: 7.0
When used together with: Redhat » Enterprise Linux Server » Version: 7.0
When used together with: Redhat » Enterprise Linux Server Aus » Version: 7.2
When used together with: Redhat » Enterprise Linux Server Aus » Version: 7.3
When used together with: Redhat » Enterprise Linux Server Aus » Version: 7.4
When used together with: Redhat » Enterprise Linux Server Aus » Version: 7.6
When used together with: Redhat » Enterprise Linux Server Aus » Version: 7.7
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.2
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.3
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.4
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.5
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.6
When used together with: Redhat » Enterprise Linux Server Eus » Version: 7.7
When used together with: Redhat » Enterprise Linux Server Tus » Version: 7.2
When used together with: Redhat » Enterprise Linux Server Tus » Version: 7.3
When used together with: Redhat » Enterprise Linux Server Tus » Version: 7.6
When used together with: Redhat » Enterprise Linux Server Tus » Version: 7.7
When used together with: Redhat » Enterprise Linux Workstation » Version: 7.0

Exploit prediction scoring system (EPSS) score for CVE-2016-5425

EPSS FAQ

14.91%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2016-5425

Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation

Disclosure Date: 2016-10-10

First seen: 2023-09-11

exploit/linux/local/tomcat_rhel_based_temp_priv_esc

This module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. This may also work against The configuration files in tmpfiles.d are used

More information

CVSS scores for CVE-2016-5425

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-5425

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-5425

http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html

Apache Tomcat 8 / 7 / 6 Privilege Escalation ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Page not found | Oracle
Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/40488/

Apache Tomcat 8/7/6 (RedHat Based Distros) - Local Privilege Escalation
Third Party Advisory;VDB Entry
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Oracle Linux Bulletin - October 2016
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

[jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar-Apache Mail Archives

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/10/10/2

oss-security - CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.)
Mailing List;Third Party Advisory
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425
Exploit;Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2046.html

RHSA-2016:2046 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/93472

Apache Tomcat CVE-2016-5425 Insecure File Permissions Vulnerability
Third Party Advisory;VDB Entry
http://www.securitytracker.com/id/1036979

Apache Tomcat Weak Configuration File Permissions on Red Hat-based Systems Lets Local Users Obtain Root Privileges - SecurityTracker
Third Party Advisory;VDB Entry

Jump to