what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Commons Daemokn Fails To Drop Capabilities

Commons Daemokn Fails To Drop Capabilities
Posted Aug 12, 2011
Authored by Mark Thomas, Wilfried Weissmann | Site tomcat.apache.org

Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. Tomcat versions 7.0.0 to 7.0.19, 6.0.30 to 6.0.32, and 5.5.32 to 5.5.33 are affected.

tags | advisory
systems | linux
advisories | CVE-2011-2729
SHA-256 | 5e5ee821c342e72c13dbf3604b54d2d2c8e9ea11f60cb87dd9f1177cc2886a15

Commons Daemokn Fails To Drop Capabilities

Change Mirror Download
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.19
Tomcat 6.0.30 to 6.0.32
Tomcat 5.5.32 to 5.5.33

Description:
Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only applies if:
a) Tomcat is running on a Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used
The Tomcat versions above shipped with source files for jsvc that
included this vulnerability.

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by
taking any of the following actions:
a) upgrade to jsvc 1.0.7 or later
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support
Updated jsvc source is included in Apache Tomcat 7.0.20 and will be
included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source
can be obtained from the Apache Commons Daemon project.

Credit:
This issue was identified by Wilfried Weissmann.
Login or Register to add favorites

File Archive:

October 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    0 Files
  • 2
    Oct 2nd
    22 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close