Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

Hello,

The current plan (which is subject to change) is to provide support for Jetty 9.4.x as long as there is official support for Java 8 available. That being said, 9.4.x should be considered feature complete, with new functionality being reserved for Jetty 10, 11, and beyond. We will still be fixing bugs and providing security patches for 9.4.x, but active development on the branch is effectively over at this point and has been for some time. We try to always push out a notification a year in advance of a branch being End of Life, as we've done in the past with 9.3, 9.2...etc, and will do so when we finally retire 9.4.

In the meantime, users are free to use Jetty 9.4.x, but I would strongly advise them to look towards upgrading to Jetty 10 (which uses the javax.* namespace) or Jetty 11 (which uses the jakarta.* namespace).

If you are a business that has questions or requires expanded support for Jetty 9.4.x, please reach out to chris@xxxxxxxxxxx and we can have a chat about how Webtide can help you reach your goals.

Cheers,
Chris

On Tue, Aug 24, 2021 at 3:53 AM Guillaume Maillard <guillaume.maillard@xxxxxxxxx> wrote:
Hi,

For support, contact Webtide to buy a professional support.
Jetty 9.4 is still used on a lot of  production environments, it's stable and secure (for all our uses cases).

Regards,
Guillaume
 

Le mar. 24 août 2021 à 06:19, Apoorva Maheshwari via jetty-dev <jetty-dev@xxxxxxxxxxx> a écrit :

Thanks for the quick action. Kindly answer the below query:

 

  1. Jetty at the download page recommends to use Jetty 10 or Jetty 11 there is not information mention till when Jetty 9.X series will be supported. Can we have some information on the support for 9.x series.

Regards,

Apoorva Maheshwari

 

From: jetty-dev <jetty-dev-bounces@xxxxxxxxxxx> On Behalf Of Chris Walker
Sent: Thursday, August 19, 2021 6:38 PM
To: Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

Hello,

 

I've corrected this on the project page and the severity should be correctly reflected shortly.

 

Cheers,

Chris

 

On Thu, Aug 19, 2021 at 3:16 AM Lachlan Roberts <lachlan@xxxxxxxxxxx> wrote:

Apoorva,

 

I think this is just a mistake on the security reports page, it was not downgraded in severity. For more detailed information on this you should look at the github security advisory. This contains the up to date information on the issue with a workaround.

 

Cheers,

Lachlan

 

On Thu, Aug 19, 2021 at 3:50 PM Apoorva Maheshwari via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

Thanks Joakim for the clarification.

 

Can you please confirm as per Jetty Security Report page (https://www.eclipse.org/jetty/security_reports.php), CVE-2021-28165 is mentioned as Medium (Exploit: Medium, Severity: Medium).

Although as per NVD, severity of this CVE is High (https://nvd.nist.gov/vuln/detail/CVE-2021-28165).

 

Have you done any impact analysis and based on that you have reduced the severity ?

If yes, then please provide the impact analysis details.

 

Thanks in Advance.

 

Regards,

Apoorva Maheshwari

 

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Thursday, August 12, 2021 5:14 PM
To: Apoorva Maheshwari <apoorva.maheshwari@xxxxxxxxxxxx>
Cc: Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Subject: Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

> > The CVEs have been fixed, in their appropriate versions.

> Jetty 9.x, 10.x, and 11.x all have fixes, the individual CVEs have details on which versions are impacted, and which versions have the fixes.

 

All of the confirmations you need about the CVEs themselves are here https://www.eclipse.org/jetty/security_reports.php (including what Jetty versions are impacted, and what Jetty versions have the fix)

All of details on what version of Jetty supports what version of minimum version of Java are here https://www.eclipse.org/jetty/ (table at bottom) and here https://www.eclipse.org/jetty/download.php#version-table

 

There are 3 active developed lines of Jetty, a CVE can cover some or all of the actively maintained lines of Jetty versions, we provide the information you need in the links above.

We cannot narrow it down further for you, you have to read that information yourself and determine for yourself if what you are looking for fits your needs.

 

> Actually we are just downloading Eclipse Jar from the link below.

https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-4.10-201812060815/equinox-SDK-4.10.zip

 

That is an ancient version of Eclipse Equinox.

Eclipse Jetty is not involved in the construction of that Equinox zip.

 

> We are unable to understand this P2 repository concept.

> Kindly provide more info to that.

 

Eclipse projects that use OSGi (Eclipse Jetty is not one of them), put their built bundles in a P2 repository that other Eclipse OSGi based projects use to build their own project from.

If you are building with OSGi and Equinox, you need to get familiar with the whole P2 repository concept quickly, as the long term effort for your Java 8 based project will depend on you maintaining your own P2 repository with the changes you need in projects that have moved past Java 8 years ago.

 

The Eclipse Equinox group tends to not release updates for old versions of Equinox (they are too busy to do that).

 

If you have a need to stay with that old version of Equinox, then it is on you to download the source for that version, update it yourself, and build it yourself with what you need.

That includes all of the infrastructure to support that build, which means you have to build and maintain on your premises the P2 repositories for this new version of Equinox that you built, along with all of the supporting dependencies and jars that equinox needs.

 

What does this mean? How complicated is it? How can we do that?  

I don't know.  And I'll repeat it again in a different way, the Jetty project is not involved in the building of other Eclipse projects.

 

If you need help with this effort, you'll need to reach out to the Eclipse Equinox folks, just be patient, as they are very busy.

 

Advice: Staying with Java 8 means you and your project will have an exponentially increasing amount of work and effort on your side, as many projects have already moved to Java 11 as their minimum versions for their actively developed and maintained versions of their projects.  That means you will have to maintain versions of your critical dependencies that no longer have updates for Java 8.  There is no expectation of maintenance for old versions of the projects you use, if the project has moved on, you will either need to move on as well, or stay with the old version and all of it's faults, or maintain a fork of that project for your own purposes.  Fewer and fewer projects maintain their Java 8 codebases due to the dramatic changes in Java 8 networking over the past few years. (see https://java.com/en/jre-jdk-cryptoroadmap.html - Oracle, in an effort to stay relevant to the pace of change in SSL/TLS, has had to make dramatic changes to the Java 8 networking implementation multiple times, and these changes make supporting the networking across Java 8 versions increasingly difficult for many projects).   

 

In short, staying with Java 8 means you will be doing more and more work, eventually you'll have to look at the effort to update to Java 11 and see which one is less work. (many hundreds of projects have done this analysis and found that moving to Java 11 is less work)

 

Eclipse Jetty has recent releases (several this year) in the Jetty 9.4.x series (see linked tables above) for Java 8 (see linked tables above).

You have to decide if the CVE (see linked tables above) ...

  1. Impacts you currently with your combination of Jetty features, Jetty version, and Java version, that you are using.
  2. Has a fixed Jetty version that is appropriate for you and your chosen Java version.

Read the links we've provided for you multiple times now across multiple emails.

The information you seek is there, in the linked tables above, I promise. 

We cannot narrow it down or be more precise for you, as it depends on too many factors that only you know.

 

Joakim Erdfelt / joakim@xxxxxxxxxxx

 

 

On Thu, Aug 12, 2021 at 4:40 AM Apoorva Maheshwari <apoorva.maheshwari@xxxxxxxxxxxx> wrote:

Also as per trail mail reply from your side its written:

 

The CVEs have been fixed, in their appropriate versions.

Jetty 9.x, 10.x, and 11.x all have fixes, the individual CVEs have details on which versions are impacted, and which versions have the fixes.

 

I need a confirmation whether these vulnerabilities fixes will be on java 11 or java 8?

 

Regards,

Apoorva Maheshwari

 

From: Apoorva Maheshwari
Sent: Thursday, August 12, 2021 1:22 PM
To: Joakim Erdfelt <joakim@xxxxxxxxxxx>; Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Subject: RE: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

Hello,

 

Thanks for your reply.

 

Actually we are just downloading Eclipse Jar from the below link.

 

https://www.eclipse.org/downloads/download.php?file=/equinox/drops/R-4.10-201812060815/equinox-SDK-4.10.zip

 

We are unable to understand this P2 repository concept.

Kindly provide more info to that.

 

Regards,

Apoorva Maheshwari

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Monday, August 9, 2021 7:46 PM
To: Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>
Cc: Apoorva Maheshwari <apoorva.maheshwari@xxxxxxxxxxxx>
Subject: Re: [jetty-dev] Regarding support required for few vulnerabilities of Jetty

 

Sending the same question doesn't change the existing answer.

The CVEs have been fixed, in their appropriate versions.

Jetty 9.x, 10.x, and 11.x all have fixes, the individual CVEs have details on which versions are impacted, and which versions have the fixes.

 

The P2 repositories at eclipse.org are for consumption by other Eclipse projects only.

The P2 repositories at eclipse.org are not meant to be used by the general public for your own projects as you are currently doing.

 

We, Eclipse Jetty, do not build the P2 repositories you have found on eclipse.org, those are built by the other Eclipse projects that need/want them for their OSGi needs.

Last we heard, there are about 7 such P2 repositories scattered around eclipse.org with Eclipse Jetty artifacts present in them.

The P2 repositories you have found are always incomplete copies of what Eclipse Jetty distributes, as the other eclipse projects only build and place into their P2 repository the limited set of features and jars that they personally need.

 

If you require Jetty 9.4.x series on a P2 repo, you are expected to build the P2 repositories in your own infrastructure.

 

Note that P2 repositories as a whole are now deprecated and are going away in light of the new Tycho features that can provide P2 like features but from a maven repository.


Joakim Erdfelt / joakim@xxxxxxxxxxx

 

 

On Mon, Aug 9, 2021 at 8:29 AM Apoorva Maheshwari via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:

Hi Team,

 

In one of our node we are currently using equinox version 4.16 with has jetty version 9.4.29. Latest version available for equinox upgrade is 4.20 which is using jetty 10.0.5 and jetty 10.x has dependency on Java-11. I have attached the current study document with this email. Let me know if you need any information.

 

Please confirm if you can share the fix for these open vulnerabilities as backport?

 

Eclipse Jetty denial of service in jetty-io CVE-2021-28165

 

Jetty Utility Servlets Double Decoding Information Disclosure Vulnerability CVE-2021-28169

 

https://nvd.nist.gov/vuln/detail/CVE-2021-34428    CVE-2021-34428

 

Quick response will be appreciated.

 

Thanks in advance.


Regards,

APOORVA MAHESHWARI  

Sr. Software Engineer
BDGS, R&D
2nd Floor, ASF Insignia - Block B Kings Canyon,
Gwal Pahari, Gurgaon, Haryana 122003, India
Phone: 8860498817
apoorva.maheshwari@xxxxxxxxxxxx
www.ericsson.com

 

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev


 

--

Chris Walker / chris@xxxxxxxxxxx

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-dev


--
Chris Walker / chris@xxxxxxxxxxx

Back to the top