Bug 730400 - (CVE-2011-2729) CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowin...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 730825 730826 730827 730828
Blocks: 730411
  Show dependency treegraph
Reported: 2011-08-12 15:17 EDT by Vincent Danen
Modified: 2012-08-08 01:48 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-08-08 01:48:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-12 15:17:44 EDT
A bug in the capabilities code of tomcat5 [1] and tomcat6 [1] was identified in jsvc (the service wrapper for Linux that is part of the Commons Daemon project).  jsvc would not drop capabilities, allowing the application to access files and directories owned by the superuser.  The vulnerability only occurred when the following conditions were true:

* Tomcat is running on Linux
* jsvc is compiled with libcap
* -user parameter is used

This affects Tomcat 6.0.30-6.0.32 and is fixed in r1153824 [3] and Tomcat 5.5.32-5.5.33, a proposed patch is available [4], however all these do is update the build files to use the latest Apache Commons Daemon.  The real flaw is in the Apache Commons Daemon, and is fixed in upstream 1.0.7 [5].  According to the bug report [6] Commons Daemon 1.0.3-1.0.6 are affected and it is fixed in r11152701 [7].

[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html
[3] http://svn.apache.org/viewvc?view=revision&revision=1153824
[4] http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch
[5] http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
[6] https://issues.apache.org/jira/browse/DAEMON-214
[7] http://svn.apache.org/viewvc?view=revision&revision=1152701
Comment 1 Vincent Danen 2011-08-12 15:39:36 EDT
According to the tomcat reports, we are vulnerable based on the version, but our tomcat packages include:

Requires: jakarta-commons-daemon >= 1.0.1

So we do not use the upstream-provided version, but our own.  Which means that this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3 through 1.0.6.  The only platform that does this is Fedora 15.

The Fedora spec does not explicitly call for a BuildRequires on libcap, however the ./configure script will enable it if present and libcap will always be present because rpm depends on it.  Due to this, Fedora 15 and rawhide will need to update to 1.0.7 or backport the fix.

Stano or Permaine, can you double-check the logic above to make sure that the older jakarta-commons-daemon versions are indeed not vulnerable?
Comment 2 Vincent Danen 2011-08-12 16:06:00 EDT
Sorry, I should also note that JBEWS is affected (jakarta-commons-daemon 1.0.5).
Comment 3 Vincent Danen 2011-08-15 16:44:52 EDT
Fedora is updating to 1.0.7:

Comment 5 Vincent Danen 2011-08-15 16:51:49 EDT
Created apache-commons-daemon tracking bugs for this issue

Affects: fedora-15 [bug 730825]
Comment 7 Vincent Danen 2011-08-16 12:59:17 EDT
JBEWS on EL5 and EL6 are not affected by this, as they are not built with capabilities support (no libcap-devel requirements or presence in the build).
Comment 8 errata-xmlrpc 2011-09-14 14:51:35 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4

Via RHSA-2011:1292 https://rhn.redhat.com/errata/RHSA-2011-1292.html
Comment 9 errata-xmlrpc 2011-09-14 14:51:44 EDT
This issue has been addressed in following products:

   JBoss Enterprise Web Server 1.0.2 on RHEL4 (via Customer Service Portal)

Via RHSA-2011:1291 https://rhn.redhat.com/errata/RHSA-2011-1291.html

Note You need to log in before you can comment on or make changes to this bug.