Executive Summary
Summary | |
---|---|
Title | Apache Commons Daemon vulnerability |
Informations | |||
---|---|---|---|
Name | USN-1298-1 | First vendor Publication | 2011-12-12 |
Vendor | Ubuntu | Last vendor Modification | 2011-12-12 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 Summary: Apache Commons Daemon would allow unintended access to files over the network. Software Description: - commons-daemon: wrapper to launch Java applications as daemons Details: Wilfried Weissmann discovered that Apache Commons Daemon incorrectly dropped capabilities after starting. A remote attacker could possibly use this flaw to read certain files, bypassing the intended permissions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: Ubuntu 11.04: After a standard system update you need to restart applications which use Apache Commons Daemon, such as the Jetty web server, to make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1298-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14743 | |||
Oval ID: | oval:org.mitre.oval:def:14743 | ||
Title: | HP-UX Apache Running Tomcat Servlet Engine, Remote Information Disclosure, Authentication Bypass, Cross-Site Scripting (XSS), Unauthorized Access, Denial of Service (DoS) | ||
Description: | native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-2729 | Version: | 11 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15171 | |||
Oval ID: | oval:org.mitre.oval:def:15171 | ||
Title: | USN-1298-1 -- Apache Commons Daemon vulnerability | ||
Description: | commons-daemon: wrapper to launch Java applications as daemons Apache Commons Daemon would allow unintended access to files over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1298-1 CVE-2011-2729 | Version: | 5 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 | Product(s): | Apache |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:19450 | |||
Oval ID: | oval:org.mitre.oval:def:19450 | ||
Title: | HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Access Restriction Bypass, Unauthorized Modification and Other Vulnerabilities | ||
Description: | native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-2729 | Version: | 11 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-24 (apache tomcat) File : nvt/glsa_201206_24.nasl |
2012-04-02 | Name : Fedora Update for apache-commons-daemon FEDORA-2011-10880 File : nvt/gb_fedora_2011_10880_apache-commons-daemon_fc16.nasl |
2011-12-16 | Name : Ubuntu Update for commons-daemon USN-1298-1 File : nvt/gb_ubuntu_USN_1298_1.nasl |
2011-08-31 | Name : Fedora Update for apache-commons-daemon FEDORA-2011-10936 File : nvt/gb_fedora_2011_10936_apache-commons-daemon_fc15.nasl |
2011-08-17 | Name : Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability File : nvt/gb_tomcat_49143.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
74541 | Apache Tomcat Commons Daemon Jsvc Permissions Weakness Arbitrary File Access |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_jakarta-commons-daemon-110916.nasl - Type : ACT_GATHER_INFO |
2012-06-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-24.nasl - Type : ACT_GATHER_INFO |
2011-12-13 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1298-1.nasl - Type : ACT_GATHER_INFO |
2011-09-26 | Name : The remote web server is affected by multiple vulnerabilities. File : tomcat_5_5_34.nasl - Type : ACT_GATHER_INFO |
2011-08-30 | Name : The remote web server is affected by multiple vulnerabilities. File : tomcat_6_0_33.nasl - Type : ACT_GATHER_INFO |
2011-08-29 | Name : The remote Fedora host is missing a security update. File : fedora_2011-10936.nasl - Type : ACT_GATHER_INFO |
2011-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2011-10880.nasl - Type : ACT_GATHER_INFO |
2011-08-16 | Name : The remote web server is affected by an information disclosure vulnerability. File : tomcat_7_0_20.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:59:24 |
|