Bug 730400 (CVE-2011-2729) - CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
Summary: CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowin...
Status: CLOSED ERRATA
Alias: CVE-2011-2729
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110812,reported=20110812,sou...
Keywords: Security
Depends On: 730825 730826 730827 730828
Blocks: 730411
TreeView+ depends on / blocked
 
Reported: 2011-08-12 19:17 UTC by Vincent Danen
Modified: 2012-08-08 05:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-08 05:48:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1291 normal SHIPPED_LIVE Important: jakarta-commons-daemon-jsvc security update 2011-09-14 18:51:39 UTC
Red Hat Product Errata RHSA-2011:1292 normal SHIPPED_LIVE Important: jakarta-commons-daemon-jsvc security update 2011-09-14 18:51:27 UTC

Description Vincent Danen 2011-08-12 19:17:44 UTC
A bug in the capabilities code of tomcat5 [1] and tomcat6 [1] was identified in jsvc (the service wrapper for Linux that is part of the Commons Daemon project).  jsvc would not drop capabilities, allowing the application to access files and directories owned by the superuser.  The vulnerability only occurred when the following conditions were true:

* Tomcat is running on Linux
* jsvc is compiled with libcap
* -user parameter is used

This affects Tomcat 6.0.30-6.0.32 and is fixed in r1153824 [3] and Tomcat 5.5.32-5.5.33, a proposed patch is available [4], however all these do is update the build files to use the latest Apache Commons Daemon.  The real flaw is in the Apache Commons Daemon, and is fixed in upstream 1.0.7 [5].  According to the bug report [6] Commons Daemon 1.0.3-1.0.6 are affected and it is fixed in r11152701 [7].

[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html
[3] http://svn.apache.org/viewvc?view=revision&revision=1153824
[4] http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch
[5] http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
[6] https://issues.apache.org/jira/browse/DAEMON-214
[7] http://svn.apache.org/viewvc?view=revision&revision=1152701

Comment 1 Vincent Danen 2011-08-12 19:39:36 UTC
According to the tomcat reports, we are vulnerable based on the version, but our tomcat packages include:

Requires: jakarta-commons-daemon >= 1.0.1

So we do not use the upstream-provided version, but our own.  Which means that this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3 through 1.0.6.  The only platform that does this is Fedora 15.

The Fedora spec does not explicitly call for a BuildRequires on libcap, however the ./configure script will enable it if present and libcap will always be present because rpm depends on it.  Due to this, Fedora 15 and rawhide will need to update to 1.0.7 or backport the fix.

Stano or Permaine, can you double-check the logic above to make sure that the older jakarta-commons-daemon versions are indeed not vulnerable?

Comment 2 Vincent Danen 2011-08-12 20:06:00 UTC
Sorry, I should also note that JBEWS is affected (jakarta-commons-daemon 1.0.5).

Comment 3 Vincent Danen 2011-08-15 20:44:52 UTC
Fedora is updating to 1.0.7:

http://koji.fedoraproject.org/koji/buildinfo?buildID=258637

Comment 5 Vincent Danen 2011-08-15 20:51:49 UTC
Created apache-commons-daemon tracking bugs for this issue

Affects: fedora-15 [bug 730825]

Comment 7 Vincent Danen 2011-08-16 16:59:17 UTC
JBEWS on EL5 and EL6 are not affected by this, as they are not built with capabilities support (no libcap-devel requirements or presence in the build).

Comment 8 errata-xmlrpc 2011-09-14 18:51:35 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4

Via RHSA-2011:1292 https://rhn.redhat.com/errata/RHSA-2011-1292.html

Comment 9 errata-xmlrpc 2011-09-14 18:51:44 UTC
This issue has been addressed in following products:

   JBoss Enterprise Web Server 1.0.2 on RHEL4 (via Customer Service Portal)

Via RHSA-2011:1291 https://rhn.redhat.com/errata/RHSA-2011-1291.html


Note You need to log in before you can comment on or make changes to this bug.