CVE-2022-24823 : Security Advisory and Response

Netty, an open-source asynchronous event-driven network application framework, is impacted by a local information disclosure vulnerability in the package

io.netty:netty-codec-http

up to version 4.1.76.Final. This vulnerability, known as CVE-2022-24823, can lead to local information disclosure if temporary storing uploads on the disk is enabled. Read on to understand the impact, technical details, and mitigation strategies related to this vulnerability.

Understanding CVE-2022-24823

This section provides an overview of the local information disclosure vulnerability in Netty's

io.netty:netty-codec-http

package.

What is CVE-2022-24823?

The CVE-2022-24823 vulnerability in Netty's

io.netty:netty-codec-http

package can result in local information disclosure if temporary storage of uploads on the disk is enabled. This can impact applications running on Java version 6 and lower, particularly on Unix-like systems and very old versions of Mac OSX and Windows.

The Impact of CVE-2022-24823

The impact of CVE-2022-24823 includes a high confidentiality impact due to potential local information disclosure. However, the availability and integrity impacts are rated as none. A low level of privileges is required for exploitation, and the attack vector is local.

Technical Details of CVE-2022-24823

This section delves into the technical aspects of the vulnerability, including its description, affected systems and versions, and exploitation mechanism.

Vulnerability Description

The vulnerability arises from an insufficient fix in Netty's

io.netty:netty-codec-http

package versions prior to 4.1.77.Final, allowing local information disclosure via the local system temporary directory when storing uploads on the disk.

Affected Systems and Versions

Systems using Netty with versions up to 4.1.76.Final are affected by this vulnerability, particularly impacting applications on Java version 6 and lower running on Unix-like systems, old Mac OSX, and Windows versions sharing the system temporary directory.

Exploitation Mechanism

Exploitation of CVE-2022-24823 involves enabling temporary storage of uploads on the disk, resulting in potential local information disclosure. Attack complexity is rated as low, and user interaction is not required.

Mitigation and Prevention

To address the CVE-2022-24823 vulnerability, consider immediate steps to take, long-term security practices, and the importance of patching and updates.

Immediate Steps to Take

As an immediate mitigation measure, specify a custom

java.io.tmpdir

when starting the JVM or utilize

DefaultHttpDataFactory.setBaseDir(...)

to set a directory accessible only by the current user.

Long-Term Security Practices

Implement secure coding practices, perform regular security audits, and limit access to sensitive directories to enhance long-term security.

Patching and Updates

Ensure that affected systems are promptly updated to version 4.1.77.Final of the

io.netty:netty-codec-http

package, which contains a patch for the vulnerability.