Apache Commons Daemon 'jsvc' Information Disclosure Vulnerability - CVE-2011-2729

  • 7009193
  • 17-Aug-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied

Situation

CVE-2011-2729 was recently reported as fixed by the Apache Software Foundation. The fix was included in Tomcat 5.5-34. Access Manager ships with 5.5.30, whcih does not include the fix for this vulnerability. Is Novell Access Manager 3.1 SP3 susceptible to this vulnerability which only occurs when all of the following are true:
  • Tomcat is running on a Linux operating system
  • jsvc was compiled with libcap
  • -user parameter is used

Resolution

Novell ACcess Manager components do NOT use the jsvc to launch the java applications, and is therefor not susceptible to the vulnerability. To check if jsvc is used, one could do

"ps -ef | grep catalina"


and check whether the "jsvc" flag is being used.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.