GHSA-269Q-HMXG-M83Q

Vulnerability from github – Published: 2022-05-10 08:46 – Updated: 2022-05-10 08:46
VLAI?
Summary
Local Information Disclosure Vulnerability in io.netty:netty-codec-http
Details

Description

GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.

Impact

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

Vulnerability Details

To fix the vulnerability the code was changed to the following:

    @SuppressJava6Requirement(reason = "Guarded by version check")
    public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
        if (javaVersion() >= 7) {
            if (directory == null) {
                return Files.createTempFile(prefix, suffix).toFile();
            }
            return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
        }
        if (directory == null) {
            return File.createTempFile(prefix, suffix);
        }
        File file = File.createTempFile(prefix, suffix, directory);
        // Try to adjust the perms, if this fails there is not much else we can do...
        file.setReadable(false, false);
        file.setReadable(true, true);
        return file;
    }

Unfortunately, this logic path was left vulnerable:

        if (directory == null) {
            return File.createTempFile(prefix, suffix);
        }

This file is still readable by all local users.

Patches

Update to 4.1.77.Final

Workarounds

Specify your own java.io.tmpdir when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user or update to Java 7 or above.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in netty

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.76.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.77.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-10T08:46:50Z",
    "nvd_published_at": "2022-05-06T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Description ###\n[GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.\n\n### Impact ###\n\nWhen netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThis only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\n### Vulnerability Details ###\n\nTo fix the vulnerability the code was changed to the following:\n\n```java\n    @SuppressJava6Requirement(reason = \"Guarded by version check\")\n    public static File createTempFile(String prefix, String suffix, File directory) throws IOException {\n        if (javaVersion() \u003e= 7) {\n            if (directory == null) {\n                return Files.createTempFile(prefix, suffix).toFile();\n            }\n            return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();\n        }\n        if (directory == null) {\n            return File.createTempFile(prefix, suffix);\n        }\n        File file = File.createTempFile(prefix, suffix, directory);\n        // Try to adjust the perms, if this fails there is not much else we can do...\n        file.setReadable(false, false);\n        file.setReadable(true, true);\n        return file;\n    }\n```\n\nUnfortunately, this logic path was left vulnerable:\n\n```java\n        if (directory == null) {\n            return File.createTempFile(prefix, suffix);\n        }\n```\n\nThis file is still readable by all local users.\n\n### Patches ###\n\nUpdate to 4.1.77.Final\n\n### Workarounds ###\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.\n\n### References ###\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n\n### For more information ###\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [netty](https://github.com/netty/netty)\n",
  "id": "GHSA-269q-hmxg-m83q",
  "modified": "2022-05-10T08:46:50Z",
  "published": "2022-05-10T08:46:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220616-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local Information Disclosure Vulnerability in io.netty:netty-codec-http"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.