VU#553375 - Wolfram Cloud /tmp Race Enables RCE & Priv-Esc
Category:Vulnerabilities & Exploits
CERT/CC VU#553375 details a Wolfram Cloud 14.2 issue where the JVM has unrestricted access to shared /tmp resources in multi-tenant instances, enabling privilege escalation, information exfiltration, and potential remote code execution via classpath poisoning during JVM initialization (T1068, T1059). Attackers who can time JVM launches may inject malicious classes from shared temp paths. Because the shared /tmp is accessible between users on the same instance, race conditions can expose other tenants’ temporary directories, undermining isolation. While temporary files typically lack sensitive data, JVM init artifacts and classpath manipulation create a practical execution avenue. Business risk: hosted notebook environments and educational tenants face cross-tenant compromise and data leakage. This threatens research IP and student privacy and can be chained with social engineering or weak ACLs. Mitigation: update Wolfram Cloud to v14.2.1; harden temp directory permissions and isolate JVM init files; monitor for unexpected classpath entries and abnormal JVM flags; and apply strict multi-tenant isolation controls within hosting platforms.
CORTEX Protocol Intelligence Assessment
Business Impact: Cross-tenant compromise risks data exposure and service abuse in shared Wolfram Cloud deployments. Technical Context: /tmp race during JVM init enables classpath poisoning. ATT&CK: T1068 (Privilege Escalation), T1059 (Command/Scripting).
Strategic Intelligence Guidance
- Upgrade to 14.2.1 immediately and validate isolation controls for /tmp.
- Audit JVM init parameters and classpath for untrusted directories.
- Harden container/VM tmpfs mount options and per-tenant namespaces.
- Add runtime detection for unexpected Java process arguments and loaders.
Vendors
Threats
Targets
Intelligence Source: VU#553375 - Wolfram Cloud /tmp Race Enables RCE & Priv-Esc | Nov 12, 2025