CVE-2022-24823 is a medium-severity vulnerability affecting the Netty framework, specifically the io.netty:netty-codec-http package versions up to 4.1.76.Final. Netty is a widely used open-source asynchronous event-driven network application framework for Java. This vulnerability arises from an insufficient fix for a previous issue (CVE-2021-21290) related to multipart decoders handling file uploads. When applications use Netty's multipart decoders with temporary file storage enabled on disk, sensitive local information can be exposed via the system's temporary directory. The root cause is that temporary files are created in a shared system temporary directory with insecure permissions, allowing unauthorized users on the same system to access these files. This issue specifically impacts applications running on Java 6 or earlier and on Unix-like systems, including very old versions of macOS and Windows, where the system temporary directory is shared among all users. The vulnerability is mitigated in Netty version 4.1.77.Final by properly isolating temporary file storage. Workarounds include specifying a custom java.io.tmpdir JVM parameter or using DefaultHttpDataFactory.setBaseDir(...) to set a directory with restricted access, ensuring temporary files are only readable by the current user. There are no known exploits in the wild, and the vulnerability primarily concerns confidentiality due to potential local information disclosure. Exploitation requires local access to the system and is limited to environments running outdated Java versions and operating systems with shared temporary directories.

For European organizations, the impact of CVE-2022-24823 is primarily related to the confidentiality of sensitive data processed by applications using vulnerable Netty versions on legacy Java and operating system environments. If exploited, unauthorized local users could access temporary files containing sensitive upload data, potentially leading to data leakage. This could affect sectors handling sensitive personal or business data, such as finance, healthcare, and government institutions, especially those maintaining legacy systems. However, the vulnerability does not affect newer Java versions (post Java 6) or modern operating systems with isolated temporary directories, limiting its scope. The impact on integrity and availability is minimal, as the vulnerability does not enable modification or disruption of services. Given the requirement for local access and outdated environments, the risk is moderate but should not be overlooked in organizations with legacy infrastructure or those running older Java applications.

European organizations should prioritize upgrading Netty to version 4.1.77.Final or later to fully remediate this vulnerability. For environments where immediate upgrade is not feasible, configure the JVM to use a custom temporary directory by setting the java.io.tmpdir system property to a directory with restricted permissions accessible only to the application user. Alternatively, use Netty's DefaultHttpDataFactory.setBaseDir(...) method to specify a secure base directory for temporary file storage. Organizations should audit their Java runtime versions and operating systems to identify systems running Java 6 or earlier and legacy Unix-like or Windows versions with shared temporary directories. Where legacy systems are unavoidable, implement strict access controls and monitoring on temporary directories to detect unauthorized access attempts. Additionally, review application configurations to disable disk-based temporary storage for multipart uploads if possible, opting for in-memory processing to reduce exposure. Regularly review and update security policies to phase out unsupported Java versions and operating systems, reducing the attack surface for such vulnerabilities.