Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. Tomcat versions 7.0.0 to 7.0.19, 6.0.30 to 6.0.32, and 5.5.32 to 5.5.33 are affected.
5e5ee821c342e72c13dbf3604b54d2d2c8e9ea11f60cb87dd9f1177cc2886a15