HP Security Bulletin HPSBST02955 2 - Potential security vulnerabilities have been identified in 3rd party software used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat Software. HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. Revision 2 of this advisory.
6410ff7bef195c9761122d2dbcef0fcb62f17fc9f0e7743be62f8af8196a6887
HP Security Bulletin HPSBST02955 - Potential security vulnerabilities have been identified in 3rd party software used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat Software. HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. Revision 1 of this advisory.
7a0da1c21ab0ea1ff0e437cda710d643179e7469a520d96d54e7b1e4ad034845
HP Security Bulletin HPSBUX02860 SSRT101146 - Potential security vulnerabilities have been identified with HP-UX Apache running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass, unauthorized modification, and other vulnerabilities. Revision 1 of this advisory.
3a2ec4c66b8a63342dc058e636fe5628f6ab4c3fd27f829156c41caf8a44c2d1
Gentoo Linux Security Advisory 201206-24 - Multiple vulnerabilities were found in Apache Tomcat, the worst of which allowing to read, modify and overwrite arbitrary files. Versions 5.5.34 are affected.
2554deef0443d375e952662e346879fa72a6339fcb77237d7e198b3b4d27ff87
HP Security Bulletin HPSBOV02762 SSRT100825 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running CSWS_JAVA. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, privilege escalation, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.
7aea36aed5246255765866fa3709a5b96e6e0350e5b8bf65bfd2aaf3d2eddf7e
Ubuntu Security Notice 1298-1 - Wilfried Weissmann discovered that Apache Commons Daemon incorrectly dropped capabilities after starting. A remote attacker could possibly use this flaw to read certain files, bypassing the intended permissions.
4868b8c796cc6f4dee413c99fbe678b130df075c38aaa2fe29a5d2cc3630cf72
HP Security Bulletin HPSBUX02725 SSRT100627 - Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to disclose information, allow authentication bypass, allow cross-site scripting (XSS), gain unauthorized access, or create a Denial of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. Revision 1 of this advisory.
da0edbfa949de2b7034ad0a1fe927c5c9205a87431abdda03737962e90086071
Red Hat Security Advisory 2011-1292-01 - The jakarta-commons-daemon-jsvc package includes jsvc, a service wrapper that allows Java applications to be run as daemons. It was found that jsvc did not correctly drop capabilities after starting an application. If an administrator used jsvc to run an application, and also used the "-user" option to specify a user for it to run as, the application correctly ran as that user but did not drop its increased capabilities, allowing it access to all files and directories accessible to the root user. Note: This flaw does not affect Red Hat Enterprise Linux 5 and 6, as the jakarta-commons-daemon-jsvc packages for those products are not built with capabilities support.
01885f5b5bc251d8b70124f876155868acc7392e8131bd742bb232e87c830329
Red Hat Security Advisory 2011-1291-01 - jsvc is a service wrapper that allows Java applications to be run as daemons. It was found that jsvc did not correctly drop capabilities after starting an application. If an administrator used jsvc to run an application, and also used the "-user" option to specify a user for it to run as, the application correctly ran as that user but did not drop its increased capabilities, allowing it access to all files and directories accessible to the root user. Note: This flaw only affected users running JBoss Enterprise Web Server 1.0.2 from jboss-ews-1.0.2-RHEL4-[arch].zip as provided from the Red Hat Customer Portal, as versions for other products are not built with capabilities support.
3835f15da8cfe9f8fd71959ff2c34e727472f267207caed51712bcc12c758f68
Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. Tomcat versions 7.0.0 to 7.0.19, 6.0.30 to 6.0.32, and 5.5.32 to 5.5.33 are affected.
5e5ee821c342e72c13dbf3604b54d2d2c8e9ea11f60cb87dd9f1177cc2886a15