CVE-2011-2729: Commons Daemon fails to drop capabilities
Severity: high Vendor: The Apache Software Foundation Versions Affected: Commons Daemon 1.0.3 to 1.0.6 Additionally, these vulnerabilities only occur when all of the following are true: a) running on Linux operating system b) jsvc was compiled with libcap c) -user parameter is used Description: Due to bug in capabilities code, jsvc does not drop capabilities allowing the application to access files and directories owned by superuser. Mitigation: Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions: a) upgrade to a version where the vulnerabilities have been fixed jsvc 1.0.3 - 1.0.6 users should upgrade to 1.0.7 version b) do not use -user parameter to switch user c) recompile the jsvc without libcap support Example: [root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.6.jar:. -user jsvc .... [root@fedora jsvctest]# grep ^Cap /proc/<pid>/status CapInh: 0000000000000406 CapPrm: 0000000000000406 CapEff: 0000000000000406 CapBnd: ffffffffffffffff [root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.7.jar:. -user jsvc .... [root@fedora jsvctest]# grep ^Cap /proc/<pid>/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff Credit: This issue was identified by Wilfried Weissmann. -- The Apache Commons Daemon Team --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
