Skip to content

Downgrade jetty package #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 1, 2024
Merged

Downgrade jetty package #478

merged 1 commit into from
Apr 1, 2024

Conversation

@shubh-ranade
Copy link
Member

@shubh-ranade shubh-ranade commented Apr 1, 2024
edited
Loading

Downgrade jetty to 9.4.53

Commons jetty version was upgraded to 9.4.54 recently: confluentinc/common#582 which affects userId/tenant based DoS filters in this repo.

Dependencies after the downgrade:

❯ mvn dependency:tree -Dincludes=org.eclipse.jetty
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Detecting the operating system and CPU architecture
[INFO] ------------------------------------------------------------------------
[INFO] os.detected.name: osx
[INFO] os.detected.arch: aarch_64
[INFO] os.detected.bitness: 64
[INFO] os.detected.version: 14.3
[INFO] os.detected.version.major: 14
[INFO] os.detected.version.minor: 3
[INFO] os.detected.classifier: osx-aarch_64
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] rest-utils-parent                                                  [pom]
[INFO] rest-utils                                                         [jar]
[INFO] rest-utils-test                                                    [jar]
[INFO] rest-utils-example                                                 [jar]
[INFO] rest-utils-package                                                 [pom]
[INFO] rest-utils-fips-tests                                              [jar]
[INFO]
[INFO] -------------------< io.confluent:rest-utils-parent >-------------------
[INFO] Building rest-utils-parent 7.8.0-0                                 [1/6]
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils-parent ---
[INFO]
[INFO] ----------------------< io.confluent:rest-utils >-----------------------
[INFO] Building rest-utils 7.8.0-0                                        [2/6]
[INFO]   from core/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils ---
[INFO] io.confluent:rest-utils:jar:7.8.0-0
[INFO] +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-annotations:jar:9.4.53.v20231009:compile
[INFO] |     +- org.eclipse.jetty:jetty-plus:jar:9.4.53.v20231009:compile
[INFO] |     |  \- org.eclipse.jetty:jetty-jndi:jar:9.4.53.v20231009:compile
[INFO] |     \- org.eclipse.jetty:jetty-webapp:jar:9.4.53.v20231009:compile
[INFO] |        \- org.eclipse.jetty:jetty-xml:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-jmx:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-util:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-server:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-http:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-io:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-alpn-server:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-alpn-java-server:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-alpn-conscrypt-server:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-servlet:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-security:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-jaas:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty.http2:http2-client:jar:9.4.53.v20231009:test
[INFO] |  \- org.eclipse.jetty:jetty-alpn-client:jar:9.4.53.v20231009:test
[INFO] \- org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.53.v20231009:test
[INFO]    +- org.eclipse.jetty:jetty-client:jar:9.4.53.v20231009:compile
[INFO]    \- org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.53.v20231009:test
[INFO]
[INFO] --------------------< io.confluent:rest-utils-test >--------------------
[INFO] Building rest-utils-test 7.8.0-0                                   [3/6]
[INFO]   from test/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils-test ---
[INFO] io.confluent:rest-utils-test:jar:7.8.0-0
[INFO] \- io.confluent:rest-utils:jar:7.8.0-0:compile
[INFO]    +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-annotations:jar:9.4.53.v20231009:compile
[INFO]    |  |  +- org.eclipse.jetty:jetty-plus:jar:9.4.53.v20231009:compile
[INFO]    |  |  |  \- org.eclipse.jetty:jetty-jndi:jar:9.4.53.v20231009:compile
[INFO]    |  |  \- org.eclipse.jetty:jetty-webapp:jar:9.4.53.v20231009:compile
[INFO]    |  |     \- org.eclipse.jetty:jetty-xml:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.53.v20231009:compile
[INFO]    |     \- org.eclipse.jetty.websocket:websocket-client:jar:9.4.53.v20231009:compile
[INFO]    |        \- org.eclipse.jetty:jetty-client:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-jmx:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-server:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-http:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-io:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-java-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-conscrypt-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlet:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-security:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.53.v20231009:compile
[INFO]    \- org.eclipse.jetty:jetty-jaas:jar:9.4.53.v20231009:compile
[INFO]
[INFO] ------------------< io.confluent:rest-utils-examples >------------------
[INFO] Building rest-utils-example 7.8.0-0                                [4/6]
[INFO]   from examples/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils-examples ---
[INFO] io.confluent:rest-utils-examples:jar:7.8.0-0
[INFO] \- io.confluent:rest-utils:jar:7.8.0-0:compile
[INFO]    +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-annotations:jar:9.4.53.v20231009:compile
[INFO]    |  |  +- org.eclipse.jetty:jetty-plus:jar:9.4.53.v20231009:compile
[INFO]    |  |  |  \- org.eclipse.jetty:jetty-jndi:jar:9.4.53.v20231009:compile
[INFO]    |  |  \- org.eclipse.jetty:jetty-webapp:jar:9.4.53.v20231009:compile
[INFO]    |  |     \- org.eclipse.jetty:jetty-xml:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.53.v20231009:compile
[INFO]    |     \- org.eclipse.jetty.websocket:websocket-client:jar:9.4.53.v20231009:compile
[INFO]    |        \- org.eclipse.jetty:jetty-client:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-jmx:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-server:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-http:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-io:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-java-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-conscrypt-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlet:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-security:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.53.v20231009:compile
[INFO]    \- org.eclipse.jetty:jetty-jaas:jar:9.4.53.v20231009:compile
[INFO]
[INFO] ------------------< io.confluent:rest-utils-package >-------------------
[INFO] Building rest-utils-package 7.8.0-0                                [5/6]
[INFO]   from package/pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils-package ---
[INFO] io.confluent:rest-utils-package:pom:7.8.0-0
[INFO] \- io.confluent:rest-utils:jar:7.8.0-0:compile
[INFO]    +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-annotations:jar:9.4.53.v20231009:compile
[INFO]    |  |  +- org.eclipse.jetty:jetty-plus:jar:9.4.53.v20231009:compile
[INFO]    |  |  |  \- org.eclipse.jetty:jetty-jndi:jar:9.4.53.v20231009:compile
[INFO]    |  |  \- org.eclipse.jetty:jetty-webapp:jar:9.4.53.v20231009:compile
[INFO]    |  |     \- org.eclipse.jetty:jetty-xml:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.53.v20231009:compile
[INFO]    |     \- org.eclipse.jetty.websocket:websocket-client:jar:9.4.53.v20231009:compile
[INFO]    |        \- org.eclipse.jetty:jetty-client:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-jmx:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-server:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-http:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-io:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-java-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-alpn-conscrypt-server:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlet:jar:9.4.53.v20231009:compile
[INFO]    |  +- org.eclipse.jetty:jetty-security:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.53.v20231009:compile
[INFO]    +- org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:compile
[INFO]    |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.53.v20231009:compile
[INFO]    \- org.eclipse.jetty:jetty-jaas:jar:9.4.53.v20231009:compile
[INFO]
[INFO] -----------------< io.confluent:rest-utils-fips-tests >-----------------
[INFO] Building rest-utils-fips-tests 7.8.0-0                             [6/6]
[INFO]   from fips-tests/pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- dependency:3.3.0:tree (default-cli) @ rest-utils-fips-tests ---
[INFO] io.confluent:rest-utils-fips-tests:jar:7.8.0-0
[INFO] +- io.confluent:rest-utils:jar:7.8.0-0:compile
[INFO] |  +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.53.v20231009:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-annotations:jar:9.4.53.v20231009:compile
[INFO] |  |     +- org.eclipse.jetty:jetty-plus:jar:9.4.53.v20231009:compile
[INFO] |  |     |  \- org.eclipse.jetty:jetty-jndi:jar:9.4.53.v20231009:compile
[INFO] |  |     \- org.eclipse.jetty:jetty-webapp:jar:9.4.53.v20231009:compile
[INFO] |  |        \- org.eclipse.jetty:jetty-xml:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-jmx:jar:9.4.53.v20231009:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-util:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-server:jar:9.4.53.v20231009:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-http:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-alpn-server:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-alpn-conscrypt-server:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.53.v20231009:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-security:jar:9.4.53.v20231009:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.53.v20231009:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.53.v20231009:compile
[INFO] |  \- org.eclipse.jetty:jetty-jaas:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-alpn-java-server:jar:9.4.53.v20231009:test
[INFO] |  \- org.eclipse.jetty:jetty-io:jar:9.4.53.v20231009:compile
[INFO] +- org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.53.v20231009:test
[INFO] |  \- org.eclipse.jetty:jetty-alpn-client:jar:9.4.53.v20231009:test
[INFO] \- org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.53.v20231009:test
[INFO]    \- org.eclipse.jetty:jetty-client:jar:9.4.53.v20231009:compile
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for rest-utils-parent 7.8.0-0:
[INFO]
[INFO] rest-utils-parent .................................. SUCCESS [  0.410 s]
[INFO] rest-utils ......................................... SUCCESS [  0.266 s]
[INFO] rest-utils-test .................................... SUCCESS [  0.022 s]
[INFO] rest-utils-example ................................. SUCCESS [  0.014 s]
[INFO] rest-utils-package ................................. SUCCESS [  0.011 s]
[INFO] rest-utils-fips-tests .............................. SUCCESS [  0.021 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.111 s
[INFO] Finished at: 2024-04-01T15:57:13-04:00
[INFO] ------------------------------------------------------------------------

@shubh-ranade shubh-ranade requested review from a team as code owners April 1, 2024 19:58
@cla-assistant
Copy link

cla-assistant bot commented Apr 1, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@cla-assistant
Copy link

cla-assistant bot commented Apr 1, 2024

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@shubh-ranade shubh-ranade mentioned this pull request Apr 1, 2024
Closed
@shubh-ranade shubh-ranade merged commit e982145 into master Apr 1, 2024
@shubh-ranade shubh-ranade deleted the sranade/downgrade-jetty-dos-protection branch April 1, 2024 20:54
@janjwerner-confluent
Copy link
Member

Could you
add

org.eclipse.jetty
jetty-servlets
9.4.53.v20231009

to dependency management section instead rather than downgrading jetty server and exposing it to CVE-2023-36478

@shubh-ranade shubh-ranade mentioned this pull request Apr 1, 2024
Merged
@trnguyencflt trnguyencflt mentioned this pull request Oct 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ehumber ehumber ehumber approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shubh-ranade @janjwerner-confluent @ehumber