Bug 1199338 - (CVE-2022-24823) VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensitive data
VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensit...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
Blocks: CVE-2021-21290
  Show dependency treegraph
Reported: 2022-05-09 08:52 UTC by Thomas Leroy
Modified: 2022-05-09 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-05-09 08:52:25 UTC

Netty is an open-source, asynchronous event-driven network application
framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final
contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders
are used local information disclosure can occur via the local system temporary
directory if temporary storing uploads on the disk is enabled. This only impacts
applications running on Java version 6 and lower. Additionally, this
vulnerability impacts code running on Unix-like systems, and very old versions
of Mac OSX and Windows as they all share the system temporary directory between
all users. Version 4.1.77.Final contains a patch for this vulnerability. As a
workaround, specify one's own `java.io.tmpdir` when starting the JVM or use
DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is
only readable by the current user.

Upstream fix:

Comment 1 Thomas Leroy 2022-05-09 09:00:41 UTC
The fix for CVE-2021-21290 (bnc#1182103) is incomplete for Java 6.
Only codestreams containing the fix for CVE-2021-21290 are affected.
Only SUSE:SLE-15-SP2:Update has the fix, but it looks unsupported according smelt.

At this time, no codestream is affected. 
But SUSE:SLE-15-SP2:Update:Products:Manager41:Update, SUSE:SLE-15-SP3:Update:Products:Manager42:Update and SUSE:SLE-15-SP4:Update:Products:Manager43:Update are still unfixed for CVE-2021-21290, and if they plan to be, we will have to fix for CVE-2022-24823 also.
Comment 2 Thomas Leroy 2022-05-09 09:01:19 UTC
netty3 is also not affected.