Vulnerability Name:

CVE-2021-21290 (CCN-197110)

Assigned:2020-12-22
Published:2021-02-08
Updated:2022-05-12
Summary:Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-378
CWE-379
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-21290

Source: XF
Type: UNKNOWN
netty-cve202121290-info-disc(197110)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec

Source: CCN
Type: Netty GIT Repository
Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final

Source: MLIST
Type: Mailing List, Third Party Advisory
[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0011/

Source: DEBIAN
Type: Third Party Advisory
DSA-4885

Source: CCN
Type: IBM Security Bulletin 6462247 (Tivoli Netcool/OMNIbus)
Multiple vulnerabilities have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)

Source: CCN
Type: IBM Security Bulletin 6469411 (Watson Machine Learning on CP4D)
Netty Vulnerability Affects IBM Watson Machine Learning on CP4D ( CVE-2021-21290)

Source: CCN
Type: IBM Security Bulletin 6491163 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6492195 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Netty

Source: CCN
Type: IBM Security Bulletin 6495959 (Sterling B2B Integrator)
Netty Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6518930 (Netcool Agile Service Manager)
Vulnerabilities affect IBM Netcool Agile Service Manager

Source: CCN
Type: IBM Security Bulletin 6538152 (Cloud Private)
Vulnerability in Netty affects IBM Cloud Private (CVE-2021-21290)

Source: CCN
Type: IBM Security Bulletin 6570957 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6572999 (Security Guardium)
IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137)

Source: CCN
Type: IBM Security Bulletin 6582695 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6831007 (Sterling Order Management)
IBM Sterling Order Management Netty 4.1.34 vulnerablity

Source: CCN
Type: IBM Security Bulletin 6831799 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6831813 (Netcool Operations Insight)
Netcool Operations Insight v1.6.6 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6857803 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6955723 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Netty Information Disclosure and Man-in the middle vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6967333 (QRadar SIEM)
IBM QRadar SIEM includes components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6980407 (Sterling Order Management)
Netty Vulnerabilites 4.0.37

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: N/A
Type: Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:netty:netty:*:*:*:*:*:*:*:* (Version < 4.1.59)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:quarkus:quarkus:*:*:*:*:*:*:*:* (Version <= 1.13.7)

    • Configuration 4:
  • cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:nosql_database:*:*:*:*:*:*:*:* (Version < 20.3)
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  • OR cpe:/a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:tivoli_netcool/omnibus:8.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:netcool_agile_service_manager:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:113025
    P
    		netty-4.1.60-1.4 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106469
    P
    		Security update for fetchmail (Moderate)
    2021-12-14
    BACK
    netty netty *
    debian debian linux 9.0
    debian debian linux 10.0
    quarkus quarkus *
    oracle banking trade finance process management 14.3.0
    oracle banking credit facilities process management 14.3.0
    oracle banking corporate lending process management 14.3.0
    oracle nosql database *
    oracle banking trade finance process management 14.5.0
    oracle banking credit facilities process management 14.2.0
    oracle banking credit facilities process management 14.5.0
    oracle banking corporate lending process management 14.2.0
    oracle banking corporate lending process management 14.5.0
    oracle banking trade finance process management 14.2.0
    oracle communications brm - elastic charging engine 12.0.0.3
    oracle communications design studio 7.4.2
    oracle communications messaging server 8.1
    netapp snapcenter -
    netapp active iq unified manager -
    netapp active iq unified manager -
    netapp cloud secure agent -
    ibm tivoli netcool/omnibus 8.1.0
    oracle peoplesoft enterprise peopletools 8.57
    ibm netcool agile service manager 1.1
    ibm sterling b2b integrator 6.0.1.0
    ibm watson discovery 2.0.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm cloud private 3.2.1 cd
    ibm qradar security information and event manager 7.4 -
    ibm voice gateway 1.0.5
    ibm cloud private 3.2.2 cd
    ibm sterling b2b integrator 6.1.0.0
    ibm voice gateway 1.0.7
    ibm watson discovery 2.2.1
    ibm security guardium 11.3
    ibm planning analytics 2.0
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7
    ibm security guardium 11.4
    ibm cognos analytics 11.2.1
    ibm cloud pak for security 1.10.0.0