{"schema_version":"1.7.2","id":"OESA-2021-1143","modified":"2021-04-07T11:02:49Z","published":"2021-04-07T11:02:49Z","upstream":["CVE-2021-21290"],"summary":"netty security update","details":"Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026amp; clients.\r\n\r\nSecurity Fix(es):\r\n\r\nNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026amp; clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0026apos;s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \u0026quot;File.createTempFile\u0026quot; on unix-like systems creates a random file, but, by default will create this file with the permissions \u0026quot;-rw-r--r--\u0026quot;. Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\u0026apos;s \u0026quot;AbstractDiskHttpData\u0026quot; is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \u0026quot;java.io.tmpdir\u0026quot; when you start the JVM or use \u0026quot;DefaultHttpDataFactory.setBaseDir(...)\u0026quot; to set the directory to something that is only readable by the current user.(CVE-2021-21290)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"netty","purl":"pkg:rpm/openEuler/netty\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.13-10.oe1"}]}],"ecosystem_specific":{"aarch64":["netty-4.1.13-10.oe1.aarch64.rpm"],"noarch":["netty-help-4.1.13-10.oe1.noarch.rpm"],"src":["netty-4.1.13-10.oe1.src.rpm"],"x86_64":["netty-4.1.13-10.oe1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1143"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21290"}],"database_specific":{"severity":"Medium"}}