ID CVE-2011-2729
Summary native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.3
    cpe:2.3:a:apache:apache_commons_daemon:1.0.3
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.4
    cpe:2.3:a:apache:apache_commons_daemon:1.0.4
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.5
    cpe:2.3:a:apache:apache_commons_daemon:1.0.5
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.6
    cpe:2.3:a:apache:apache_commons_daemon:1.0.6
  • Apache Software Foundation Tomcat 5.5.32
    cpe:2.3:a:apache:tomcat:5.5.32
  • Apache Software Foundation Tomcat 5.5.33
    cpe:2.3:a:apache:tomcat:5.5.33
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.3
    cpe:2.3:a:apache:apache_commons_daemon:1.0.3
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.4
    cpe:2.3:a:apache:apache_commons_daemon:1.0.4
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.5
    cpe:2.3:a:apache:apache_commons_daemon:1.0.5
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.6
    cpe:2.3:a:apache:apache_commons_daemon:1.0.6
  • Apache Software Foundation Tomcat 6.0.30
    cpe:2.3:a:apache:tomcat:6.0.30
  • Apache Software Foundation Tomcat 6.0.31
    cpe:2.3:a:apache:tomcat:6.0.31
  • Apache Software Foundation Tomcat 6.0.32
    cpe:2.3:a:apache:tomcat:6.0.32
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.3
    cpe:2.3:a:apache:apache_commons_daemon:1.0.3
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.4
    cpe:2.3:a:apache:apache_commons_daemon:1.0.4
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.5
    cpe:2.3:a:apache:apache_commons_daemon:1.0.5
  • cpe:2.3:a:apache:apache_commons_daemon:1.0.6
    cpe:2.3:a:apache:apache_commons_daemon:1.0.6
  • Apache Software Foundation Tomcat 7.0.0
    cpe:2.3:a:apache:tomcat:7.0.0
  • Apache Software Foundation Tomcat 7.0.0 beta
    cpe:2.3:a:apache:tomcat:7.0.0:beta
  • Apache Software Foundation Tomcat 7.0.1
    cpe:2.3:a:apache:tomcat:7.0.1
  • Apache Software Foundation Tomcat 7.0.2
    cpe:2.3:a:apache:tomcat:7.0.2
  • Apache Software Foundation Tomcat 7.0.3
    cpe:2.3:a:apache:tomcat:7.0.3
  • Apache Software Foundation Tomcat 7.0.4
    cpe:2.3:a:apache:tomcat:7.0.4
  • Apache Software Foundation Tomcat 7.0.5
    cpe:2.3:a:apache:tomcat:7.0.5
  • Apache Software Foundation Tomcat 7.0.6
    cpe:2.3:a:apache:tomcat:7.0.6
  • Apache Software Foundation Tomcat 7.0.7
    cpe:2.3:a:apache:tomcat:7.0.7
  • Apache Software Foundation Tomcat 7.0.8
    cpe:2.3:a:apache:tomcat:7.0.8
  • Apache Software Foundation Tomcat 7.0.9
    cpe:2.3:a:apache:tomcat:7.0.9
  • Apache Software Foundation Tomcat 7.0.10
    cpe:2.3:a:apache:tomcat:7.0.10
  • Apache Software Foundation Tomcat 7.0.11
    cpe:2.3:a:apache:tomcat:7.0.11
  • Apache Software Foundation Tomcat 7.0.12
    cpe:2.3:a:apache:tomcat:7.0.12
  • Apache Software Foundation Tomcat 7.0.13
    cpe:2.3:a:apache:tomcat:7.0.13
  • Apache Software Foundation Tomcat 7.0.14
    cpe:2.3:a:apache:tomcat:7.0.14
  • Apache Software Foundation Tomcat 7.0.16
    cpe:2.3:a:apache:tomcat:7.0.16
  • Apache Software Foundation Tomcat 7.0.17
    cpe:2.3:a:apache:tomcat:7.0.17
  • Apache Software Foundation Tomcat 7.0.19
    cpe:2.3:a:apache:tomcat:7.0.19
  • Linux Kernel
    cpe:2.3:o:linux:linux_kernel
CVSS
Base: 5.0 (as of 16-08-2011 - 11:43)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Web Servers
    NASL id TOMCAT_7_0_20.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.20. It is, therefore, affected by an information disclosure vulnerability due to a component that Apache Tomcat relies on called 'jsvc' which does not drop capabilities after starting and can allow access to sensitive files owned by the super user. Note that this vulnerability only affects Linux operating systems and only when the following are true : - jsvc is compiled with libpcap - the '-user' parameter is used Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-08-03
    plugin id 55859
    published 2011-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55859
    title Apache Tomcat 7.x < 7.0.20 'jsvc' Information Disclosure
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201206-24.NASL
    description The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact : The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server’s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-11
    plugin id 59677
    published 2012-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59677
    title GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1298-1.NASL
    description Wilfried Weissmann discovered that Apache Commons Daemon incorrectly dropped capabilities after starting. A remote attacker could possibly use this flaw to read certain files, bypassing the intended permissions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 57271
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57271
    title Ubuntu 11.04 / 11.10 : commons-daemon vulnerability (USN-1298-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-10936.NASL
    description This update fixes several bugs and also security issue CVE-2011-2729. Users are encouraged to update as soon as possible. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-20
    plugin id 55988
    published 2011-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55988
    title Fedora 15 : apache-commons-daemon-1.0.7-1.fc15 (2011-10936)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-10880.NASL
    description This update fixes several bugs and also security issue CVE-2011-2729. Users are encouraged to update as soon as possible. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 55962
    published 2011-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55962
    title Fedora 16 : apache-commons-daemon-1.0.7-1.fc16 (2011-10880)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_JAKARTA-COMMONS-DAEMON-110916.NASL
    description jsvc did not properly drop capabilities, therefore allowing applications to access files owned by the super user (CVE-2011-2729).
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 75868
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75868
    title openSUSE Security Update : jakarta-commons-daemon (openSUSE-SU-2011:1062-1)
  • NASL family Web Servers
    NASL id TOMCAT_5_5_34.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 5.5.x listening on the remote host is prior to 5.5.34. It is, there, affected by multiple vulnerabilities : - Several weaknesses were found in the HTTP Digest authentication implementation. The issues are as follows: replay attacks are possible, server nonces are not checked, client nonce counts are not checked, 'quality of protection' (qop) values are not checked, realm values are not checked and the server secret is a hard-coded, known string. The effect of these issues is that Digest authentication is no stronger than Basic authentication. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) - An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204) - An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO connectors are enabled. (CVE-2011-2526) - A component that Apache Tomcat relies on called 'jsvc' contains an error in that it does not drop capabilities after starting and can allow access to sensitive files owned by the super user. Note this vulnerability only affects Linux operating systems and only when 'jsvc' is compiled with libpcap and the '-user' parameter is used. (CVE-2011-2729) - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to authentication bypass and disclosure of sensitive information. Note this vulnerability only occurs when the org.apache.jk.server.JkCoyoteHandler AJP connector is not used, POST requests are accepted, and the request body is not processed.(CVE-2011-3190) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-08-01
    plugin id 56301
    published 2011-09-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56301
    title Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id TOMCAT_6_0_33.NASL
    description According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.33. It is, therefore, affected by multiple vulnerabilities : - Several weaknesses were found in the HTTP Digest authentication implementation. The issues are as follows: replay attacks are possible, server nonces are not checked, client nonce counts are not checked, 'quality of protection' (qop) values are not checked, realm values are not checked and the server secret is a hard-coded, known string. The effect of these issues is that Digest authentication is no stronger than Basic authentication. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) - An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204) - An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO connectors are enabled. (CVE-2011-2526) - A component that Apache Tomcat relies on called 'jsvc' contains an error in that it does not drop capabilities after starting and can allow access to sensitive files owned by the super user. Note this vulnerability only affects Linux operating systems and only when the following are true: jsvc is compiled with libpcap and the '-user' parameter is used. (CVE-2011-2729) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2018-08-01
    plugin id 56008
    published 2011-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56008
    title Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities
oval via4
  • accepted 2015-04-20T04:00:41.291-04:00
    class vulnerability
    contributors
    • name Yamini Mohan R
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
    family unix
    id oval:org.mitre.oval:def:14743
    status accepted
    submitted 2012-01-30T11:36:29.000-05:00
    title HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS)
    version 43
  • accepted 2015-04-20T04:01:18.104-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.
    family unix
    id oval:org.mitre.oval:def:19450
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabilities
    version 43
redhat via4
advisories
  • rhsa
    id RHSA-2011:1291
  • rhsa
    id RHSA-2011:1292
refmap via4
bid 49143
bugtraq 20110812 [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
confirm
hp
  • HPSBOV02762
  • HPSBST02955
  • HPSBUX02725
  • HPSBUX02860
  • SSRT100627
  • SSRT100825
  • SSRT101146
mlist
  • [commons-dev] 20110812 [AANNOUNCE] Apache Commons Daemon 1.0.7 released
  • [tomcat-announce] 20110812 [SECURITY] CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
sectrack 1025925
secunia
  • 46030
  • 57126
suse openSUSE-SU-2011:1062
xf tomcat-jsvc-info-disclosure(69161)
Last major update 22-08-2016 - 22:03
Published 15-08-2011 - 17:55
Last modified 09-10-2018 - 15:32
Back to Top