Eclipse 2020-09 is affected by CVE-2020-27216 via it’s inclusion of Jetty 9.4.31.v20200723.
Here is the Jetty advisory:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
Here is the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2020-27216
I haven’t yet checked if there is a bug logged for this in Eclipse Bugzilla, but I plan to do so ASAP.
I maintain a local fork of epp.packages, primarily for fixing CVEs in Eclipse for C/C++ developers in support of releases that are out of synch with Eclipse SimRel releases.
I do this by inserting a target definition into the build defined in releng/org.eclipse.epp.config/parent/pom.xml.
This let’s me override dependency versions, which are typically the root cause of CVEs.
However, in cases like CVE-2020-27216 where the CVE exposure comes from a transitive dependency of an Eclipse feature that EPP.CDT depends on, it’s doesn’t seem like its possible to override the transitive
dependency because the upstream Eclipse feature needs a specific version.
In this case, the chain is
CDT depends on Platform, Platform provides Help, Help depends on Jetty 9.4.31
When I add Jetty 9.4.34 to my target definition, it is ignored, because the Jetty dependency is resolved via the Help feature.
If I try to force it by adding a restrictTo filter to the Tycho build, I get Missing requirement/Cannot satisfy dependency errors (see below for relevant error example).
I have two more ideas for how replace Jetty.
- Fork Eclipse Platform so that I can bump the version of Jetty. This is not a practical solution for me in the timeframe I have available.
- Replace the Jetty plugins post-build. I’m not sure if this will even work, but it’s very ugly and risky.
Any suggestions for how to replace Jetty without forking Eclipse Platform or a post-build brute force hack?
Thank you.
Tony Homer
…
[INFO] Performing subquery
[INFO] Resolving dependencies of MavenProject: org.eclipse.epp:org.eclipse.epp.package.cpp.feature:4.17.0-SNAPSHOT @ MYBUILDROOT/packages/org.eclipse.epp.package.cpp.feature/pom.xml
[INFO] {osgi.os=linux, osgi.ws=gtk, org.eclipse.update.install.features=true, osgi.arch=x86_64}
[ERROR] Cannot resolve project dependencies:
[ERROR] Software being installed: org.eclipse.epp.package.cpp.feature.feature.group 4.17.0.qualifier
[ERROR] Missing requirement: org.eclipse.help.feature.group 2.3.300.v20200902-1800 requires 'org.eclipse.equinox.p2.iu; org.eclipse.jetty.continuation [9.4.31.v20200723,9.4.31.v20200723]' but it could not
be found
[ERROR] Cannot satisfy dependency: org.eclipse.epp.package.cpp.feature.feature.group 4.17.0.qualifier depends on: org.eclipse.equinox.p2.iu; org.eclipse.platform.ide 0.0.0
[ERROR] Cannot satisfy dependency: org.eclipse.platform.feature.group 4.17.0.v20200902-1800 depends on: org.eclipse.equinox.p2.iu; org.eclipse.help.feature.group [2.3.300.v20200902-1800,2.3.300.v20200902-1800]
[ERROR] Cannot satisfy dependency: org.eclipse.platform.ide 4.17.0.I20200902-1800 depends on: org.eclipse.equinox.p2.iu; org.eclipse.platform.feature.group [4.17.0.v20200902-1800,4.17.0.v20200902-1800]
[ERROR]
[ERROR] See https://wiki.eclipse.org/Tycho/Dependency_Resolution_Troubleshooting for help.
[ERROR] Cannot resolve dependencies of MavenProject: org.eclipse.epp:org.eclipse.epp.package.cpp.feature:4.17.0-SNAPSHOT @ MYBUILDROOT /packages/org.eclipse.epp.package.cpp.feature/pom.xml: See log for details
-> [Help 1]
…