CVE-2021-21290

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2021-21290
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-02-08 20:15:00 UTC
Updated2023-11-07 03:29:00 UTC
DescriptionNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Risk And Classification

Problem Types: CWE-378 | CWE-379

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Karaf 2.7.0 All All All
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Application Netapp Active Iq Unified Manager - All All All
Application Netapp Active Iq Unified Manager - All All All
Application Netapp Cloud Secure Agent - All All All
Application Netapp Snapcenter - All All All
Application Netty Netty All All All All
Application Netty Netty All All All All
Application Oracle Banking Corporate Lending Process Management 14.2.0 All All All
Application Oracle Banking Corporate Lending Process Management 14.3.0 All All All
Application Oracle Banking Corporate Lending Process Management 14.5.0 All All All
Application Oracle Banking Credit Facilities Process Management 14.2.0 All All All
Application Oracle Banking Credit Facilities Process Management 14.3.0 All All All
Application Oracle Banking Credit Facilities Process Management 14.5.0 All All All
Application Oracle Banking Trade Finance Process Management 14.2.0 All All All
Application Oracle Banking Trade Finance Process Management 14.3.0 All All All
Application Oracle Banking Trade Finance Process Management 14.5.0 All All All
Application Oracle Communications Brm - Elastic Charging Engine 12.0.0.3 All All All
Application Oracle Communications Design Studio 7.4.2 All All All
Application Oracle Communications Messaging Server 8.1 All All All
Application Oracle Nosql Database All All All All
Application Quarkus Quarkus All All All All

References

ReferenceSourceLinkTags
[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org
[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8c... lists.apache.org
[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 lists.apache.org
[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290 lists.apache.org
Debian -- Security Information -- DSA-4885-1 netty DEBIAN www.debian.org
[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability lists.apache.org
[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org
Oracle Critical Patch Update Advisory - April 2022 MISC www.oracle.com
[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability lists.apache.org
[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation lists.apache.org
[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295 lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Use Files.createTempFile(...) to ensure the file is created with prop… · netty/netty@c735357 · GitHub MISC github.com Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021 N/A www.oracle.com
[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MISC lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Third Party Advisory
[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Oracle Critical Patch Update Advisory - October 2021 MISC www.oracle.com
[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 lists.apache.org
[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Third Party Advisory
[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
[SECURITY] [DLA 2555-1] netty security update MLIST lists.debian.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Pony Mail! MLIST lists.apache.org
[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290 lists.apache.org
[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files · Advisory · netty/netty · GitHub CONFIRM github.com Exploit, Third Party Advisory
[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295 lists.apache.org
[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Patch, Third Party Advisory
Pony Mail! MLIST lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 lists.apache.org
Oracle Critical Patch Update Advisory - April 2021 MISC www.oracle.com
[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295 lists.apache.org
CVE-2021-21290 Apache Netty Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0 lists.apache.org
[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290 lists.apache.org
Pony Mail! MLIST lists.apache.org
[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final lists.apache.org
Pony Mail! MLIST lists.apache.org Mailing List, Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 178527 Debian Security Update for netty (DSA 4885-1)
  • 180593 Debian Security Update for netty (CVE-2021-21290)
  • 199574 Ubuntu Security Notification for Netty Vulnerabilities (USN-6049-1)
  • 239353 Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.7 (RHSA-2021:2048)
  • 239354 Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.7 (RHSA-2021:2047)
  • 239355 Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.7 (RHSA-2021:2046)
  • 239741 Red Hat Update for amq clients 2.9.1 release and (RHSA-2021:1511)
  • 240012 Red Hat Update for Satellite "6\\.10" (RHSA-2022:0190)
  • 240566 Red Hat Update for Satellite 6.11 Release (RHSA-2022:5498)
  • 375720 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJUL2021)
  • 960505 Rocky Linux Security Update for Satellite (RLSA-2022:5498)
  • 980333 Java (maven) Security Update for io.netty:netty-codec-http (GHSA-5mcr-gq6c-3hq2)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report