A bug in the capabilities code of tomcat5 [1] and tomcat6 [1] was identified in jsvc (the service wrapper for Linux that is part of the Commons Daemon project). jsvc would not drop capabilities, allowing the application to access files and directories owned by the superuser. The vulnerability only occurred when the following conditions were true: * Tomcat is running on Linux * jsvc is compiled with libcap * -user parameter is used This affects Tomcat 6.0.30-6.0.32 and is fixed in r1153824 [3] and Tomcat 5.5.32-5.5.33, a proposed patch is available [4], however all these do is update the build files to use the latest Apache Commons Daemon. The real flaw is in the Apache Commons Daemon, and is fixed in upstream 1.0.7 [5]. According to the bug report [6] Commons Daemon 1.0.3-1.0.6 are affected and it is fixed in r11152701 [7]. [1] http://tomcat.apache.org/security-5.html [2] http://tomcat.apache.org/security-6.html [3] http://svn.apache.org/viewvc?view=revision&revision=1153824 [4] http://people.apache.org/~markt/patches/2011-08-12-cve2011-2729-tc5.patch [5] http://mail-archives.apache.org/mod_mbox/commons-dev/201108.mbox/%3C4E451B2B.9090108@apache.org%3E [6] https://issues.apache.org/jira/browse/DAEMON-214 [7] http://svn.apache.org/viewvc?view=revision&revision=1152701
According to the tomcat reports, we are vulnerable based on the version, but our tomcat packages include: Requires: jakarta-commons-daemon >= 1.0.1 So we do not use the upstream-provided version, but our own. Which means that this only affects us if we ship {apache,jakarta}-commons-daemon version 1.0.3 through 1.0.6. The only platform that does this is Fedora 15. The Fedora spec does not explicitly call for a BuildRequires on libcap, however the ./configure script will enable it if present and libcap will always be present because rpm depends on it. Due to this, Fedora 15 and rawhide will need to update to 1.0.7 or backport the fix. Stano or Permaine, can you double-check the logic above to make sure that the older jakarta-commons-daemon versions are indeed not vulnerable?
Sorry, I should also note that JBEWS is affected (jakarta-commons-daemon 1.0.5).
Fedora is updating to 1.0.7: http://koji.fedoraproject.org/koji/buildinfo?buildID=258637
Created apache-commons-daemon tracking bugs for this issue Affects: fedora-15 [bug 730825]
JBEWS on EL5 and EL6 are not affected by this, as they are not built with capabilities support (no libcap-devel requirements or presence in the build).
This issue has been addressed in following products: JBEWS 1.0 for RHEL 4 Via RHSA-2011:1292 https://rhn.redhat.com/errata/RHSA-2011-1292.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 on RHEL4 (via Customer Service Portal) Via RHSA-2011:1291 https://rhn.redhat.com/errata/RHSA-2011-1291.html