apache karaf CVE-2021-21290 vulnerability in Apache and Other Products
Published on February 8, 2021

product logo product logo product logo product logo product logo product logo product logo
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Github Repository Vendor Advisory NVD

Vulnerability Analysis

CVE-2021-21290 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

Creation of Temporary File With Insecure Permissions

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

Creation of Temporary File in Directory with Insecure Permissions

The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.


Products Associated with CVE-2021-21290

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-21290 are published in these products:

Apache Karaf
 
Netty
 
Debian Linux
 
Quarkus
 
Oracle Nosql Database
 
Oracle Banking Corporate Lending Process Management
 
Oracle Banking Credit Facilities Process Management
 
Oracle Banking Trade Finance Process Management
 
Oracle Communications Brm Elastic Charging Engine
 
Oracle Communications Design Studio
 
Oracle Communications Messaging Server
 
NetApp Active Iq Unified Manager
 
NetApp Cloud Secure Agent
 
NetApp Snapcenter
 
Canonical Ubuntu Linux
 

Affected Versions

netty Version < 4.1.59.Final is affected by CVE-2021-21290

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-21290

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-codec-http < 4.1.59 4.1.59.Final
maven io.netty:netty-codec-http <= 4.1.76.Final 4.1.77.Final

Exploit Probability

EPSS
0.03%
Percentile
6.37%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.