Bugzilla – Bug 1199338
VUL-0: CVE-2022-24823: netty: world readable temporary file containing sensitive data
Last modified: 2022-05-09 09:15:01 UTC
Netty is an open-source, asynchronous event-driven network application
framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final
contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders
are used local information disclosure can occur via the local system temporary
directory if temporary storing uploads on the disk is enabled. This only impacts
applications running on Java version 6 and lower. Additionally, this
vulnerability impacts code running on Unix-like systems, and very old versions
of Mac OSX and Windows as they all share the system temporary directory between
all users. Version 4.1.77.Final contains a patch for this vulnerability. As a
workaround, specify one's own `java.io.tmpdir` when starting the JVM or use
DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is
only readable by the current user.
The fix for CVE-2021-21290 (bnc#1182103) is incomplete for Java 6.
Only codestreams containing the fix for CVE-2021-21290 are affected.
Only SUSE:SLE-15-SP2:Update has the fix, but it looks unsupported according smelt.
At this time, no codestream is affected.
But SUSE:SLE-15-SP2:Update:Products:Manager41:Update, SUSE:SLE-15-SP3:Update:Products:Manager42:Update and SUSE:SLE-15-SP4:Update:Products:Manager43:Update are still unfixed for CVE-2021-21290, and if they plan to be, we will have to fix for CVE-2022-24823 also.
netty3 is also not affected.