Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yNjlxLWhteGctbTgzcc3kbg
Local Information Disclosure Vulnerability in io.netty:netty-codec-http
Description
GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.
Impact
When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.
This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
Vulnerability Details
To fix the vulnerability the code was changed to the following:
@SuppressJava6Requirement(reason = "Guarded by version check")
public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
if (javaVersion() >= 7) {
if (directory == null) {
return Files.createTempFile(prefix, suffix).toFile();
}
return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
}
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
File file = File.createTempFile(prefix, suffix, directory);
// Try to adjust the perms, if this fails there is not much else we can do...
file.setReadable(false, false);
file.setReadable(true, true);
return file;
}
Unfortunately, this logic path was left vulnerable:
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
This file is still readable by all local users.
Patches
Update to 4.1.77.Final
Workarounds
Specify your own java.io.tmpdir
when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...)
to set the directory to something that is only readable by the current user or update to Java 7 or above.
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
For more information
If you have any questions or comments about this advisory:
Open an issue in netty
Permalink: https://github.com/advisories/GHSA-269q-hmxg-m83qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNjlxLWhteGctbTgzcc3kbg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-269q-hmxg-m83q, CVE-2022-24823
References:
- https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
- https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
- https://nvd.nist.gov/vuln/detail/CVE-2022-24823
- https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
- https://security.netapp.com/advisory/ntap-20220616-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-269q-hmxg-m83q
Blast Radius: 21.0
Affected Packages
maven:io.netty:netty-codec-http
Dependent packages: 1,324Dependent repositories: 6,505
Downloads:
Affected Version Ranges: <= 4.1.76.Final
Fixed in: 4.1.77.Final
All affected versions: 4.1.7-0.Final, 4.1.7-1.Final, 4.1.7-2.Final, 4.1.7-3.Final, 4.1.7-4.Final, 4.1.7-5.Final, 4.1.7-6.Final
All unaffected versions: