Bug 1906919 (CVE-2020-8908) - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
Summary: CVE-2020-8908 guava: local information disclosure via temporary directory cre...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8908
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1906922 1911484 1913093 1906920 1906921 1906923 1907649 1907650 1907651 1907652 1907653 1907654 1907655 1907656 1908330 1908332 1909294 1909295 1909297 1913092
Blocks: 1906924 2014197
TreeView+ depends on / blocked
 
Reported: 2020-12-11 19:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-16 14:07 UTC (History)
135 users (show)

Fixed In Version: guava 30.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-04 14:41:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0417 0 None None None 2021-02-04 13:36:40 UTC
Red Hat Product Errata RHSA-2021:0872 0 None None None 2021-03-16 13:43:51 UTC
Red Hat Product Errata RHSA-2021:0873 0 None None None 2021-03-16 13:35:49 UTC
Red Hat Product Errata RHSA-2021:0874 0 None None None 2021-03-16 13:39:54 UTC
Red Hat Product Errata RHSA-2021:0885 0 None None None 2021-03-16 13:19:40 UTC
Red Hat Product Errata RHSA-2021:0974 0 None None None 2021-03-23 14:18:30 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:07:54 UTC

Description Guilherme de Almeida Suckevicz 2020-12-11 19:07:56 UTC
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.

Reference:
https://github.com/google/guava/issues/4011

Upstream patch:
https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40

Comment 1 Guilherme de Almeida Suckevicz 2020-12-11 19:08:44 UTC
Created guava tracking bugs for this issue:

Affects: fedora-all [bug 1906920]


Created guava20 tracking bugs for this issue:

Affects: fedora-32 [bug 1906921]


Created maven:3.5/guava20 tracking bugs for this issue:

Affects: fedora-all [bug 1906922]


Created maven:3.6/guava tracking bugs for this issue:

Affects: fedora-all [bug 1906923]

Comment 2 Jason Shepherd 2020-12-14 23:21:59 UTC
OpenShift Container Platform separates /tmp directory in a container from that on the host. Unprivileged containers such as the ones which include the guava dependency do not have permissions to mount the host, or other container's /tmp directory so this vulnerability has no impact.

Comment 4 Anten Skrabec 2020-12-16 01:10:51 UTC
Statement:

Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.

Comment 15 errata-xmlrpc 2021-02-04 13:36:35 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.8.1

Via RHSA-2021:0417 https://access.redhat.com/errata/RHSA-2021:0417

Comment 16 Product Security DevOps Team 2021-02-04 14:41:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8908

Comment 17 errata-xmlrpc 2021-03-16 13:19:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885

Comment 18 errata-xmlrpc 2021-03-16 13:35:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873

Comment 19 errata-xmlrpc 2021-03-16 13:39:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874

Comment 20 errata-xmlrpc 2021-03-16 13:43:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872

Comment 21 errata-xmlrpc 2021-03-23 14:18:25 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.6

Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974

Comment 23 errata-xmlrpc 2021-06-02 14:23:39 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP via EAP 7.3.x base

Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210

Comment 26 errata-xmlrpc 2021-11-16 14:07:49 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.