Bug 730400 (CVE-2011-2729)

Summary: CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: djorm, java-sig-commits, jjohnstn, pcheung, sochotni, SpikeFedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-08 05:48:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 730825, 730826, 730827, 730828    
Bug Blocks: 730411    

Description Vincent Danen 2011-08-12 19:17:44 UTC 
A bug in the capabilities code of tomcat5 [1] and tomcat6 [1] was identified in jsvc (the service wrapper for Linux that is part of the Commons Daemon project).  jsvc would not drop capabilities, allowing the application to access files and directories owned by the superuser.  The vulnerability only occurred when the following conditions were true:

* Tomcat is running on Linux
* jsvc is compiled with libcap
* -user parameter is used

This affects Tomcat 6.0.30-6.0.32 and is fixed in r1153824 [3] and Tomcat 5.5.32-5.5.33, a proposed patch is available [4], however all these do is update the build files to use the latest Apache Commons Daemon.  The real flaw is in the Apache Commons Daemon, and is fixed in upstream 1.0.7 [5].  According to the bug report [6] Commons Daemon 1.0.3-1.0.6 are affected and it is fixed in r11152701 [7].

[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html
[3] http://svn.apache.org/viewvc?view=revision&revision=1153824
[4] http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch
[5] http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
[6] https://issues.apache.org/jira/browse/DAEMON-214
[7] http://svn.apache.org/viewvc?view=revision&revision=1152701
Comment 1 Vincent Danen 2011-08-12 19:39:36 UTC 
According to the tomcat reports, we are vulnerable based on the version, but our tomcat packages include:

Requires: jakarta-commons-daemon >= 1.0.1

So we do not use the upstream-provided version, but our own.  Which means that this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3 through 1.0.6.  The only platform that does this is Fedora 15.

The Fedora spec does not explicitly call for a BuildRequires on libcap, however the ./configure script will enable it if present and libcap will always be present because rpm depends on it.  Due to this, Fedora 15 and rawhide will need to update to 1.0.7 or backport the fix.

Stano or Permaine, can you double-check the logic above to make sure that the older jakarta-commons-daemon versions are indeed not vulnerable?
Comment 2 Vincent Danen 2011-08-12 20:06:00 UTC 
Sorry, I should also note that JBEWS is affected (jakarta-commons-daemon 1.0.5).
Comment 3 Vincent Danen 2011-08-15 20:44:52 UTC 
Fedora is updating to 1.0.7:

http://koji.fedoraproject.org/koji/buildinfo?buildID=258637
Comment 5 Vincent Danen 2011-08-15 20:51:49 UTC 
Created apache-commons-daemon tracking bugs for this issue

Affects: fedora-15 [bug 730825]
Comment 7 Vincent Danen 2011-08-16 16:59:17 UTC 
JBEWS on EL5 and EL6 are not affected by this, as they are not built with capabilities support (no libcap-devel requirements or presence in the build).
Comment 8 errata-xmlrpc 2011-09-14 18:51:35 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4

Via RHSA-2011:1292 https://rhn.redhat.com/errata/RHSA-2011-1292.html
Comment 9 errata-xmlrpc 2011-09-14 18:51:44 UTC 
This issue has been addressed in following products:

   JBoss Enterprise Web Server 1.0.2 on RHEL4 (via Customer Service Portal)

Via RHSA-2011:1291 https://rhn.redhat.com/errata/RHSA-2011-1291.html