CVE-2021-28168: Eclipse Jersey Information Disclosure Flaw

CVE-2021-28168 Overview

Eclipse Jersey versions 2.28 to 2.33 and 3.0.0 to 3.0.1 contain a local information disclosure vulnerability caused by insecure temporary file creation. The vulnerability stems from the use of File.createTempFile which creates files in the system temporary directory with world-readable permissions (-rw-r--r--). This allows any local user on the system to read the contents of these temporary files, potentially exposing security-sensitive information written by Jersey applications.

Critical Impact
Local attackers with system access can read sensitive data from temporary files created by Jersey applications, potentially exposing credentials, session tokens, or other confidential information processed by the application.

Affected Products

Eclipse Jersey versions 2.28 through 2.33
Eclipse Jersey versions 3.0.0 through 3.0.1
Oracle Communications Cloud Native Core Policy 1.15.0
Oracle Communications Cloud Native Core Unified Data Repository 1.15.0

Discovery Timeline

April 22, 2021 - CVE-2021-28168 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-28168

Vulnerability Analysis

This vulnerability represents a classic insecure temporary file creation pattern in Java applications. When Eclipse Jersey creates temporary files using the standard File.createTempFile() method, these files inherit default permissions that make them readable by all users on the system. On Unix-like systems, this results in files with mode 644 (-rw-r--r--), allowing any local user to read file contents.

The vulnerability is classified under CWE-378 (Creation of Temporary File With Insecure Permissions) and CWE-668 (Exposure of Resource to Wrong Sphere). While the attack requires local access to the system, the confidentiality impact is significant since an attacker can access any data written to these temporary files by the Jersey framework.

Root Cause

The root cause is the use of Java's File.createTempFile() method without subsequent permission restrictions. This legacy Java API creates files with platform-default permissions that are overly permissive on most systems. The proper mitigation involves using Java NIO's Files.createTempFile() with explicit PosixFilePermissions to restrict file access to the owner only.

Attack Vector

An attacker exploiting this vulnerability requires local access to the target system where a vulnerable Jersey application is running. The attack proceeds as follows:

The attacker monitors the system's temporary directory (typically /tmp on Unix systems) for files created by the Jersey application
When the vulnerable application creates temporary files, they are created with world-readable permissions
The attacker reads the contents of these files before they are deleted
If the files contain sensitive data such as authentication tokens, request bodies, or cached credentials, the attacker gains access to this information

The vulnerability specifically affects multipart form data processing, where Jersey may temporarily store uploaded file contents or request data in the system temporary directory before processing.

Detection Methods for CVE-2021-28168

Indicators of Compromise

Unusual read access to temporary files in /tmp or system temporary directories by unauthorized user accounts
Monitoring of temporary file creation patterns by non-application users
Presence of unauthorized processes performing inotify watches on temporary directories
Log entries showing repeated access to Jersey-created temporary files from different user contexts

Detection Strategies

Monitor file access patterns in system temporary directories for unauthorized reads of Jersey application temporary files
Implement file integrity monitoring to detect when temporary files are accessed by users other than the application owner
Review application dependency manifests to identify vulnerable Eclipse Jersey versions in your software inventory
Use software composition analysis (SCA) tools to scan for affected Jersey library versions across your environment

Monitoring Recommendations

Configure auditd or similar auditing tools to log read operations on the system temporary directory by non-application users
Implement real-time alerting for unusual file access patterns in temporary storage locations
Monitor for reconnaissance activity targeting application temporary file naming conventions
Review application logs for potential data exposure events correlating with temporary file creation

How to Mitigate CVE-2021-28168

Immediate Actions Required

Upgrade Eclipse Jersey to version 2.34 or later (for 2.x branch) or 3.0.2 or later (for 3.x branch)
Review Oracle product deployments and apply patches from the Oracle Critical Patch Update April 2022
Audit systems for any evidence of local user access to Jersey application temporary files
Restrict access to system temporary directories where feasible through OS-level controls

Patch Information

Eclipse has addressed this vulnerability in the official fix merged via GitHub Pull Request #4712. The fix modifies temporary file creation to use secure APIs that create files with owner-only permissions. Organizations should upgrade to patched versions as soon as possible.

For detailed technical information about the vulnerability and its remediation, refer to the GitHub Security Advisory GHSA-c43q-5hpj-4crv.

Workarounds

Configure the application to use a dedicated temporary directory with restrictive permissions (mode 700) accessible only to the application user
Implement OS-level access controls on the system temporary directory to limit which users can list directory contents
Deploy applications in containerized environments with isolated temporary file systems
Configure process isolation to prevent other users from accessing the application's temporary file space

bash

# Create a dedicated secure temporary directory for the application
mkdir -p /var/tmp/jersey-secure
chmod 700 /var/tmp/jersey-secure
chown appuser:appgroup /var/tmp/jersey-secure

# Set the Java temporary directory for the application
export JAVA_OPTS="-Djava.io.tmpdir=/var/tmp/jersey-secure"

CVE-2021-28168 Overview

Critical Impact
Local attackers with system access can read sensitive data from temporary files created by Jersey applications, potentially exposing credentials, session tokens, or other confidential information processed by the application.

Affected Products

Eclipse Jersey versions 2.28 through 2.33
Eclipse Jersey versions 3.0.0 through 3.0.1
Oracle Communications Cloud Native Core Policy 1.15.0
Oracle Communications Cloud Native Core Unified Data Repository 1.15.0

Discovery Timeline

April 22, 2021 - CVE-2021-28168 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-28168

Vulnerability Analysis

Root Cause

Attack Vector

An attacker exploiting this vulnerability requires local access to the target system where a vulnerable Jersey application is running. The attack proceeds as follows:

The attacker monitors the system's temporary directory (typically /tmp on Unix systems) for files created by the Jersey application
When the vulnerable application creates temporary files, they are created with world-readable permissions
The attacker reads the contents of these files before they are deleted
If the files contain sensitive data such as authentication tokens, request bodies, or cached credentials, the attacker gains access to this information

The vulnerability specifically affects multipart form data processing, where Jersey may temporarily store uploaded file contents or request data in the system temporary directory before processing.

Detection Methods for CVE-2021-28168

Indicators of Compromise

Unusual read access to temporary files in /tmp or system temporary directories by unauthorized user accounts
Monitoring of temporary file creation patterns by non-application users
Presence of unauthorized processes performing inotify watches on temporary directories
Log entries showing repeated access to Jersey-created temporary files from different user contexts

Detection Strategies

Monitor file access patterns in system temporary directories for unauthorized reads of Jersey application temporary files
Implement file integrity monitoring to detect when temporary files are accessed by users other than the application owner
Review application dependency manifests to identify vulnerable Eclipse Jersey versions in your software inventory
Use software composition analysis (SCA) tools to scan for affected Jersey library versions across your environment

Monitoring Recommendations

Configure auditd or similar auditing tools to log read operations on the system temporary directory by non-application users
Implement real-time alerting for unusual file access patterns in temporary storage locations
Monitor for reconnaissance activity targeting application temporary file naming conventions
Review application logs for potential data exposure events correlating with temporary file creation

How to Mitigate CVE-2021-28168

Immediate Actions Required

Upgrade Eclipse Jersey to version 2.34 or later (for 2.x branch) or 3.0.2 or later (for 3.x branch)
Review Oracle product deployments and apply patches from the Oracle Critical Patch Update April 2022
Audit systems for any evidence of local user access to Jersey application temporary files
Restrict access to system temporary directories where feasible through OS-level controls

Patch Information

For detailed technical information about the vulnerability and its remediation, refer to the GitHub Security Advisory GHSA-c43q-5hpj-4crv.

Workarounds

Configure the application to use a dedicated temporary directory with restrictive permissions (mode 700) accessible only to the application user
Implement OS-level access controls on the system temporary directory to limit which users can list directory contents
Deploy applications in containerized environments with isolated temporary file systems
Configure process isolation to prevent other users from accessing the application's temporary file space

bash

# Create a dedicated secure temporary directory for the application
mkdir -p /var/tmp/jersey-secure
chmod 700 /var/tmp/jersey-secure
chown appuser:appgroup /var/tmp/jersey-secure

# Set the Java temporary directory for the application
export JAVA_OPTS="-Djava.io.tmpdir=/var/tmp/jersey-secure"

CVE-2021-28168: Eclipse Jersey Information Disclosure Flaw

CVE-2021-28168 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-28168

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-28168

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-28168

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-28168: Eclipse Jersey Information Disclosure Flaw

CVE-2021-28168 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-28168

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-28168

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-28168

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform