Search for vulnerabilities
Vulnerability details: VCID-9pf5-786z-aaaj
Vulnerability ID VCID-9pf5-786z-aaaj
Aliases CVE-2016-1240
Summary The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-20 Improper Input Validation
CWE-284 Improper Access Control
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1240.html
cvssv3.1 7.5 http://rhn.redhat.com/errata/RHSA-2017-0457.html
generic_textual HIGH http://rhn.redhat.com/errata/RHSA-2017-0457.html
rhas Important https://access.redhat.com/errata/RHSA-2017:0455
rhas Important https://access.redhat.com/errata/RHSA-2017:0456
rhas Important https://access.redhat.com/errata/RHSA-2017:0457
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1240.json
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.16238 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.16238 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.16238 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.16238 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.16238 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.18727 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.18727 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19153 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19505 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19505 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19505 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.19505 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20519 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20973 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20973 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20973 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20973 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.20973 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
epss 0.3008 https://api.first.org/data/v1/epss?cve=CVE-2016-1240
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=1376712
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240
cvssv2 7.2 https://nvd.nist.gov/vuln/detail/CVE-2016-1240
cvssv3 7.8 https://nvd.nist.gov/vuln/detail/CVE-2016-1240
cvssv3.1 9.8 https://security.gentoo.org/glsa/201705-09
generic_textual CRITICAL https://security.gentoo.org/glsa/201705-09
generic_textual Medium https://ubuntu.com/security/notices/USN-3081-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3081-2
Reference id Reference type URL
http://packetstormsecurity.com/files/170857/Apache-Tomcat-On-Ubuntu-Log-Init-Privilege-Escalation.html
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1240.html
http://rhn.redhat.com/errata/RHSA-2017-0457.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1240.json
https://api.first.org/data/v1/epss?cve=CVE-2016-1240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180731-0002/
https://ubuntu.com/security/notices/USN-3081-1
https://ubuntu.com/security/notices/USN-3081-2
https://www.exploit-db.com/exploits/40450/
http://www.debian.org/security/2016/dsa-3669
http://www.debian.org/security/2016/dsa-3670
http://www.securityfocus.com/archive/1/539519/100/0/threaded
http://www.securityfocus.com/bid/93263
http://www.securitytracker.com/id/1036845
http://www.ubuntu.com/usn/USN-3081-1
1376712 https://bugzilla.redhat.com/show_bug.cgi?id=1376712
CVE-2016-1240 Exploit http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
CVE-2016-1240 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/40450.txt
CVE-2016-1240 https://nvd.nist.gov/vuln/detail/CVE-2016-1240
RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
RHSA-2017:0457 https://access.redhat.com/errata/RHSA-2017:0457
USN-3081-1 https://usn.ubuntu.com/3081-1/
USN-3081-2 https://usn.ubuntu.com/3081-2/
Data source Exploit-DB
Date added Oct. 3, 2016
Description Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation
Ransomware campaign use Known
Source publication date Oct. 3, 2016
Exploit type local
Platform linux
Source update date Oct. 3, 2016
Source URL http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
Data source Metasploit
Description Tomcat (6, 7, 8) packages provided by default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system. Tested against Tomcat 8.0.32-1ubuntu1.1 on Ubuntu 16.04
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - config-changes
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date Sept. 30, 2016
Platform Linux
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://rhn.redhat.com/errata/RHSA-2017-0457.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1240.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2016-1240
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2016-1240
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/201705-09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.10721
EPSS Score 0.00043
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.