commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <>
Subject [SECURITY] CVE-2011-2729 Apache Commons Daemon Information disclosure and availability vulnerabilities
Date Fri, 12 Aug 2011 12:26:41 GMT
CVE-2011-2729: Commons Daemon fails to drop capabilities

Severity: high

The Apache Software Foundation

Versions Affected:
Commons Daemon 1.0.3 to 1.0.6
Additionally, these vulnerabilities only occur when all of the
following are true:
a) running on Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used

Due to bug in capabilities code, jsvc does not drop capabilities
allowing the application to access files and directories owned by

Affected users of all versions can mitigate these vulnerabilities by
taking any of the following actions:
a) upgrade to a version where the vulnerabilities have been fixed
    jsvc 1.0.3 - 1.0.6 users should upgrade to 1.0.7 version
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support

[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.6.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000406
CapPrm: 0000000000000406
CapEff: 0000000000000406
CapBnd: ffffffffffffffff

[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.7.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff

This issue was identified by Wilfried Weissmann.

The Apache Commons Daemon Team

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message