Privilege escalation in Oracle Server applications

#VU264 Privilege escalation in Oracle Server applications

Published: 2016-08-05 | Updated: 2017-01-11

Vulnerability identifier: #VU264

Vulnerability risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-0714

CWE-ID: CWE-94

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system
Oracle Transportation Management
Other software / Other software solutions
Virtual Desktop Infrastructure
Server applications / Virtualization software

Vendor: Apache Foundation
Oracle

Description

The vulnerability allows a local attacker to bypass security manager restriction.

A local attacker, who controls web application, can abuse functionality of StandardManager and PersistentManager to gain control over sessions persistence, stored in files, in database or in custom Sore. Since session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code, the attacker can place specially crafted object into a session and execute arbitrary code on vulnerable system with elevated privileges.

Successful exploitation of the vulnerability may allow a local attacker to gain elevated privileges on the system.

Mitigation
Install the latest version Apache Tomcat 6.0.45, 7.0.68, 8.0.32 or 9.0.0.M3

Vulnerable software versions

Apache Tomcat: 6.0.0 - 6.0.44, 7.0.0 - 7.0.67, 8.0.0 - 8.0.31, 9.0.0-M1 - 9.0.0-M2

Oracle Solaris: 11.3

Oracle Transportation Management: 6.1 - 6.3.7

Virtual Desktop Infrastructure: 3.5.3

Oracle Linux: 7

External links
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for tomcat6

SUSE Linux update for tomcat6

Multiple vulnerabilities in Apache Tomcat