First Last Prev Next    This bug is not in your last search results.
Bug 1199338 - (CVE-2022-24823) VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensitive data
(CVE-2022-24823)
VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensit...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/330996/
:
Depends on:
Blocks: CVE-2021-21290
  Show dependency treegraph
 
Reported: 2022-05-09 08:52 UTC by Thomas Leroy
Modified: 2022-05-09 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-05-09 08:52:25 UTC 
CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application
framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final
contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders
are used local information disclosure can occur via the local system temporary
directory if temporary storing uploads on the disk is enabled. This only impacts
applications running on Java version 6 and lower. Additionally, this
vulnerability impacts code running on Unix-like systems, and very old versions
of Mac OSX and Windows as they all share the system temporary directory between
all users. Version 4.1.77.Final contains a patch for this vulnerability. As a
workaround, specify one's own `java.io.tmpdir` when starting the JVM or use
DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is
only readable by the current user.

Upstream fix:
https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24823
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
Comment 1 Thomas Leroy 2022-05-09 09:00:41 UTC 
The fix for CVE-2021-21290 (bnc#1182103) is incomplete for Java 6.
Only codestreams containing the fix for CVE-2021-21290 are affected.
Only SUSE:SLE-15-SP2:Update has the fix, but it looks unsupported according smelt.


At this time, no codestream is affected. 
But SUSE:SLE-15-SP2:Update:Products:Manager41:Update, SUSE:SLE-15-SP3:Update:Products:Manager42:Update and SUSE:SLE-15-SP4:Update:Products:Manager43:Update are still unfixed for CVE-2021-21290, and if they plan to be, we will have to fix for CVE-2022-24823 also.
Comment 2 Thomas Leroy 2022-05-09 09:01:19 UTC 
netty3 is also not affected.
First Last Prev Next    This bug is not in your last search results.