CVE-2021-21290

Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Netty es un framework de aplicación de red de código abierto y asíncrono controlado por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. En Netty anterior a la versión 4.1.59.Final, se presenta una vulnerabilidad en sistemas similares a Unix que involucra un archivo temporal no seguro. Cuando se usan los decodificadores multiparte de netty, la divulgación de información local puede ocurrir por medio del directorio temporal del sistema local si el almacenamiento temporal de cargas en el disco está habilitado. En sistemas tipo Unix, el directorio temporal se comparte entre todos los usuarios. Tal y como, escribir en este directorio utilizando las API que no establezcan explícitamente los permisos de archivo/directorio puede conducir a una divulgación de información. Cabe señalar que esto no afecta a los sistemas operativos MacOS modernos. El método "File.createTempFile" en sistemas similares a Unix crea un archivo aleatorio, pero, por defecto creará este archivo con los permisos "-rw-r - r--". Por lo tanto, si se escribe información confidencial en este archivo, otros usuarios locales pueden leer esta información. Este es el caso en el que "AbstractDiskHttpData" de netty es vulnerable. Esto ha sido corregido en la versión 4.1.59.Final. Como solución alternativa, se puede especificar su propio "java.io.tmpdir" al iniciar la JVM o utilizar "DefaultHttpDataFactory.setBaseDir(...)" para establecer el directorio en algo que solo el usuario actual pueda leer

In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-02-08 CVE Published
2023-11-08 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-378: Creation of Temporary File With Insecure Permissions
CWE-379: Creation of Temporary File in Directory with Insecure Permissions
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (41)

URL	Tag	Source
https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E	X_refsource_misc
https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html	Mailing List
https://security.netapp.com/advisory/ntap-20220210-0011	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory

URL	Date	SRC
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2	2024-08-03

URL	Date	SRC
https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://www.debian.org/security/2021/dsa-4885	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-21290	2022-07-05
https://bugzilla.redhat.com/show_bug.cgi?id=1927028	2022-07-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netty Search vendor "Netty"		Netty Search vendor "Netty" for product "Netty"				< 4.1.59 Search vendor "Netty" for product "Netty" and version " < 4.1.59"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				<= 1.13.7 Search vendor "Quarkus" for product "Quarkus" and version " <= 1.13.7"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"				12.0.0.3 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.3"		-		Affected
Oracle Search vendor "Oracle"		Communications Design Studio Search vendor "Oracle" for product "Communications Design Studio"				7.4.2 Search vendor "Oracle" for product "Communications Design Studio" and version "7.4.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected
Oracle Search vendor "Oracle"		Nosql Database Search vendor "Oracle" for product "Nosql Database"				< 20.3 Search vendor "Oracle" for product "Nosql Database" and version " < 20.3"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		linux		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Cloud Secure Agent Search vendor "Netapp" for product "Cloud Secure Agent"				-		-		Affected
Netapp Search vendor "Netapp"		Snapcenter Search vendor "Netapp" for product "Snapcenter"				-		-		Affected