A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible. Reference: https://github.com/google/guava/issues/4011 Upstream patch: https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
Created guava tracking bugs for this issue: Affects: fedora-all [bug 1906920] Created guava20 tracking bugs for this issue: Affects: fedora-32 [bug 1906921] Created maven:3.5/guava20 tracking bugs for this issue: Affects: fedora-all [bug 1906922] Created maven:3.6/guava tracking bugs for this issue: Affects: fedora-all [bug 1906923]
OpenShift Container Platform separates /tmp directory in a container from that on the host. Unprivileged containers such as the ones which include the guava dependency do not have permissions to mount the host, or other container's /tmp directory so this vulnerability has no impact.
Statement: Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
This issue has been addressed in the following products: Red Hat AMQ 7.8.1 Via RHSA-2021:0417 https://access.redhat.com/errata/RHSA-2021:0417
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8908
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.6 Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
This issue has been addressed in the following products: RHINT Camel-K 1.6.4 Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029