SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Commons Daemon jsvc Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1025925
SecurityTracker URL:  http://securitytracker.com/id/1025925
CVE Reference:   CVE-2011-2729   (Links to External Site)
Date:  Aug 12 2011
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.32 to 5.5.33, 6.0.30 to 6.0.32, 7.0.0 to 7.0.19
Description:   A vulnerability was reported in Apache Tomcat. A local user can obtain elevated privileges on the target system in certain cases.

The Common Daemon jsvc service wrapper does not drop capabilities. The application can access files and directories that are owned by the superuser.

Only Linux-based systems are affected.

Systems where jsvc was compiled with libcap and where the '-user' parameter is invoked are affected.

Wilfried Weissmann reported this vulnerability.

Impact:   A local user can access files and directories that are owned by the superuser.
Solution:   The vendor has issued a fix (7.0.20).

A fix will be released for future versions of 5.5.x and 6.0.x.

The vendor's advisory is available at:

http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.20

Vendor URL:  tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.20 (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 12 Aug 2011 13:52:45 +0100
Subject:  [Full-disclosure] [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.19
Tomcat 6.0.30 to 6.0.32
Tomcat 5.5.32 to 5.5.33

Description:
Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only applies if:
a) Tomcat is running on a Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used
The Tomcat versions above shipped with source files for jsvc that
included this vulnerability.

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by
taking any of the following actions:
a) upgrade to jsvc 1.0.7 or later
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support
Updated jsvc source is included in Apache Tomcat 7.0.20 and will be
included in the next releases of Tomcat 6.0.x and 5.5.x. Updated source
can be obtained from the Apache Commons Daemon project.

Credit:
This issue was identified by Wilfried Weissmann.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC