Netty CVE-2022-24823: Java 6 Legacy Systems at Risk of Local Information Disclosure via Multipart Decoders

A critical vulnerability in the widely-used Netty framework exposes legacy Java systems to local information disclosure. The flaw, tracked as CVE-2022-24823, is an insufficient patch for a prior security issue (CVE-2021-21290) within the `io.netty:netty-codec-http` package. This vulnerability specifically targets systems running on Java version 6 or lower, where the multipart decoders can leak sensitive data through the shared system temporary directory if file uploads are stored on disk.

The risk is confined to a specific, outdated technological stack but carries significant consequences for affected environments. The exposure occurs because the system's temporary directory is shared between all users on Unix-like systems and very old versions of macOS and Windows. When temporary file storage is enabled, an attacker with local access could potentially read files uploaded by other users, leading to unauthorized information disclosure.

Mitigation is available in Netty version 4.1.77.Final, which contains the complete patch. For systems that cannot be immediately updated, two workarounds are specified: administrators can define a custom `java.io.tmpdir` path when starting the Java Virtual Machine, or they can use the `DefaultHttpDataFactory.setBaseDir(...)` method to direct file storage to a directory with restrictive, user-specific permissions. This vulnerability underscores the persistent security challenges in maintaining and securing legacy enterprise infrastructure that cannot easily be upgraded.