Bug 730400 (CVE-2011-2729) - CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowing access to files and directories owned by the superuser
Summary: CVE-2011-2729 jakarta-commons-daemon: jsvc does not drop capabilities allowin...
Alias: CVE-2011-2729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 730825 730826 730827 730828
Blocks: 730411
TreeView+ depends on / blocked
Reported: 2011-08-12 19:17 UTC by Vincent Danen
Modified: 2019-09-29 12:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-08-08 05:48:00 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1291 0 normal SHIPPED_LIVE Important: jakarta-commons-daemon-jsvc security update 2011-09-14 18:51:39 UTC
Red Hat Product Errata RHSA-2011:1292 0 normal SHIPPED_LIVE Important: jakarta-commons-daemon-jsvc security update 2011-09-14 18:51:27 UTC

Description Vincent Danen 2011-08-12 19:17:44 UTC
A bug in the capabilities code of tomcat5 [1] and tomcat6 [1] was identified in jsvc (the service wrapper for Linux that is part of the Commons Daemon project).  jsvc would not drop capabilities, allowing the application to access files and directories owned by the superuser.  The vulnerability only occurred when the following conditions were true:

* Tomcat is running on Linux
* jsvc is compiled with libcap
* -user parameter is used

This affects Tomcat 6.0.30-6.0.32 and is fixed in r1153824 [3] and Tomcat 5.5.32-5.5.33, a proposed patch is available [4], however all these do is update the build files to use the latest Apache Commons Daemon.  The real flaw is in the Apache Commons Daemon, and is fixed in upstream 1.0.7 [5].  According to the bug report [6] Commons Daemon 1.0.3-1.0.6 are affected and it is fixed in r11152701 [7].

[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html
[3] http://svn.apache.org/viewvc?view=revision&revision=1153824
[4] http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch
[5] http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E
[6] https://issues.apache.org/jira/browse/DAEMON-214
[7] http://svn.apache.org/viewvc?view=revision&revision=1152701

Comment 1 Vincent Danen 2011-08-12 19:39:36 UTC
According to the tomcat reports, we are vulnerable based on the version, but our tomcat packages include:

Requires: jakarta-commons-daemon >= 1.0.1

So we do not use the upstream-provided version, but our own.  Which means that this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3 through 1.0.6.  The only platform that does this is Fedora 15.

The Fedora spec does not explicitly call for a BuildRequires on libcap, however the ./configure script will enable it if present and libcap will always be present because rpm depends on it.  Due to this, Fedora 15 and rawhide will need to update to 1.0.7 or backport the fix.

Stano or Permaine, can you double-check the logic above to make sure that the older jakarta-commons-daemon versions are indeed not vulnerable?

Comment 2 Vincent Danen 2011-08-12 20:06:00 UTC
Sorry, I should also note that JBEWS is affected (jakarta-commons-daemon 1.0.5).

Comment 3 Vincent Danen 2011-08-15 20:44:52 UTC
Fedora is updating to 1.0.7:


Comment 5 Vincent Danen 2011-08-15 20:51:49 UTC
Created apache-commons-daemon tracking bugs for this issue

Affects: fedora-15 [bug 730825]

Comment 7 Vincent Danen 2011-08-16 16:59:17 UTC
JBEWS on EL5 and EL6 are not affected by this, as they are not built with capabilities support (no libcap-devel requirements or presence in the build).

Comment 8 errata-xmlrpc 2011-09-14 18:51:35 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4

Via RHSA-2011:1292 https://rhn.redhat.com/errata/RHSA-2011-1292.html

Comment 9 errata-xmlrpc 2011-09-14 18:51:44 UTC
This issue has been addressed in following products:

   JBoss Enterprise Web Server 1.0.2 on RHEL4 (via Customer Service Portal)

Via RHSA-2011:1291 https://rhn.redhat.com/errata/RHSA-2011-1291.html

Note You need to log in before you can comment on or make changes to this bug.