Rapid7 Vulnerability & Exploit Database

RHSA-2011:1292: jakarta-commons-daemon-jsvc security update

Back to Search

RHSA-2011:1292: jakarta-commons-daemon-jsvc security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
08/15/2011
Created
07/25/2018
Added
09/20/2011
Modified
07/04/2017

Description

An updated jakarta-commons-daemon-jsvc package that fixes one security issue is now available for JBoss Enterprise Web Server 1.0 for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The jakarta-commons-daemon-jsvc package includes jsvc, a service wrapper that allows Java applications to be run as daemons. It was found that jsvc did not correctly drop capabilities after starting an application. If an administrator used jsvc to run an application, and also used the "-user" option to specify a user for it to run as, the application correctly ran as that user but did not drop its increased capabilities, allowing it access to all files and directories accessible to the root user. (CVE-2011-2729) Note: This flaw does not affect Red Hat Enterprise Linux 5 and 6, as the jakarta-commons-daemon-jsvc packages for those products are not built with capabilities support. Users of JBoss Enterprise Web Server 1.0 for Red Hat Enterprise Linux 4 should upgrade to this updated package, which contains backported patches to correct this issue. If jsvc is started, it must be restarted for this update to take effect.

Solution(s)

  • redhat-upgrade-jakarta-commons-daemon-jsvc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;