Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-24823 - netty-common vulnerable to Information Exposure due to an incomplete fix to CVE-2021-21290 #12610

Closed
abstractj opened this issue Jun 20, 2022 · 2 comments
Closed

CVE-2022-24823 - netty-common vulnerable to Information Exposure due to an incomplete fix to CVE-2021-21290 #12610

abstractj opened this issue Jun 20, 2022 · 2 comments
Assignees
@abstractj
Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Milestone
20.0.0

Comments

@abstractj
Copy link
Contributor

abstractj commented Jun 20, 2022
edited

Summary

Affected versions of this package are vulnerable to Information Exposure due to an incomplete fix to CVE-2021-21290, which still allowed one exploitable path. When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory, if temporary storing uploads on the disk is enabled. 

Note: To be vulnerable, a victim application has to run on a Unix-like operating system, and with Java 6 or below.

Version

18.0.0 or higher

Impact

Low. Keycloak supports Java 8 JRE, or Java 11 JRE. Users running Java 6 are strongly encouraged to upgrade.

Remediation

Upgrade io.netty:netty-common to version 4.1.77.Final or higher.

References

Credits

Additional information

Before updating netty-commons on Keycloak, first it is necessary to update on Quarkus directly. Until now, Quarkus is still on version 4.1.74.Final of netty-commons.

Their team is working to upgrade the dependency. After that, we need to wait for the upcoming releases.
@abstractj abstractj self-assigned this Jun 21, 2022
@abstractj abstractj mentioned this issue Aug 11, 2022
Closed
@trixpan trixpan mentioned this issue Aug 26, 2022
Closed
@abstractj
Copy link
Contributor Author

abstractj commented Oct 6, 2022
edited

Netty is a transitive dependency coming from Infinispan on Quarkus. The Quarkus team already upgraded on main https://github.com/quarkusio/quarkus/blob/main/bom/application/pom.xml#L133. We need to wait for the upcoming releases.

@abstractj abstractj added kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/weakness Issues identified as a security hardening issue that we can improve into the code and removed kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected kind/weakness Issues identified as a security hardening issue that we can improve into the code labels Oct 19, 2022
@abstractj abstractj added this to the 20.0.0 milestone Oct 19, 2022
@abstractj
Copy link
Contributor Author

Solved on the last Quarkus upgrade #14834

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abstractj abstractj

Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Projects
None yet
Milestone
20.0.0
Development

No branches or pull requests
1 participant
@abstractj