正文

Netty 安全漏洞

admin
admin V管理员 /0 评论 /11 阅读
0305
此篇文章发布距今已超过1160天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Netty 安全漏洞

  • CNNVD编号:CNNVD-202102-612
    • <!--
  • 危害等级: 中危-->
  • 危害等级: 中危
  • CVE编号: CVE-2021-21290
  • 漏洞类型: 其他
  • 发布时间: 2021-02-08
  • 威胁类型: 本地
  • 更新时间: 2021-11-25
  • 厂        商:
  • 漏洞来源: Red Hat

漏洞简介

Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。

Netty 4.1.59之前版本存在安全漏洞,该漏洞源于当netty的多部分解码器被使用时,如果磁盘上的临时存储被启用,则本地信息可以通过本地系统临时目录进行公开。在类unix系统中,所有用户共享临时目录。因此,使用没有显式设置文件/目录权限的api写入该目录可能导致信息泄露。值得注意的是,这并不影响现代的MacOS操作系统。法”文件。createTempFile\"在类unix系统上创建一个随机文件,但默认情况下将创建这个文件,权限为\"-rw-r——r——\"。因此,如果将敏感信息写入该文件,其他本地用户就可以读取该信息。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec

参考网址

来源:MLIST

链接:https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E

来源:MISC

链接:https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec

来源:MLIST

链接:https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E

来源:MLIST

链接:https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E

来源:CONFIRM

链接:https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

来源:MLIST

链接:https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuApr2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E

来源:DEBIAN

链接:https://www.debian.org/security/2021/dsa-4885

来源:MLIST

链接:https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E

来源:N/A

链接:https://www.oracle.com//security-alerts/cpujul2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuoct2021.html

来源:MISC

链接:https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affects-ibm-watson-machine-learning-on-cp4d-cve-2021-21290/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2416

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021072765

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1821

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163517/Red-Hat-Security-Advisory-2021-2755-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1924

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2021-21290

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1108

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.0515

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6495959

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1571

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3495

来源:vigilance.fr

链接:https://vigilance.fr/vulnerability/Netty-information-disclosure-via-Temporary-File-34567

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162926/Red-Hat-Security-Advisory-2021-2210-01.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021072119

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3256

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpujul2021.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021050706

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6518930

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163477/Red-Hat-Security-Advisory-2021-2689-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2021-21290-cve-2021-21295-cve-2021/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163922/Red-Hat-Security-Advisory-2021-3225-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162035/Red-Hat-Security-Advisory-2021-0943-01.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021081922

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162732/Red-Hat-Security-Advisory-2021-2070-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1755

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162714/Red-Hat-Security-Advisory-2021-2051-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164346/Red-Hat-Security-Advisory-2021-3700-01.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021093016

来源:access.redhat.com

链接:https://access.redhat.com/security/cve/cve-2021-21290

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2357

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2896

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021071219

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1144

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164566/Red-Hat-Security-Advisory-2021-3880-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162839/Red-Hat-Security-Advisory-2021-2139-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162490/Red-Hat-Security-Advisory-2021-1511-01.html

受影响实体

    暂无


补丁

  • Netty 安全漏洞的修复措施
    <!--
    2021-2-8
    -->