Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to upgrade Eclipse Jetty Server to a higher version?

Labels:
avatar
author-rank wojciech_leszcz
Explorer

Created ‎08-01-2018 09:10 AM

Hi guys,

using OpenVAS, I performed a vulnerability scan of my CentOS7 server (there is Apache Nifi in version 1.7.1 with 8081 port). I obtained the following report:

High (CVSS: 10.0)
NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
Product detection result
cpe:/a:eclipse:jetty:6.1.26.
Detected by Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Summary
The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability.
Vulnerability Detection Result
Installed version: 9.4.3.20170317
Fixed version: 9.4.11.v20180605
Installation
path / port: 8081/tcp
Impact
Successful exploitation will allow an attacker to disclose sensitive information.
Impact Level: Application
Solution
Solution type: VendorFix
Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later as per the
series. For updates refer to Reference links.
Affected Software/OS
Eclipse Jetty Server versions 9.2.x, 9.3.x before 9.3.24.v20180605 and 9.4.x before
9.4.11.v20180605
Vulnerability Insight
The flaw exists due to an improper handling of bad queries.
Vulnerability Detection Method
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
Details:Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
OID:1.3.6.1.4.1.25623.1.0.813552
Version used: $Revision: 10443 $
Product Detection Result
Product: cpe:/a:eclipse:jetty:6.1.26.
Method: Jetty Version Detection
OID: 1.3.6.1.4.1.25623.1.0.800953)
References
CVE: CVE-2018-12536
Other:
URL:https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
URL:https://www.eclipse.org/jetty/

[..] solution: Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later..

Unfortunately, I could not find a solution to the problem regarding upgrade Eclipse Jetty Server for Apache Nifi.

Has anyone had a similar problem? The case is fresh.

9,146 Views
0 Kudos
3 REPLIES 3

avatar
author-rank alopresto author-rank
Guru

Created ‎08-01-2018 07:18 PM

You can do this manually on your instance by changing the Jetty dependency version in nifi/pom.xml (<jetty.version>9.4.3.v20170317</jetty.version>). There is an Apache Jira (NIFI-5479) to upgrade this in the core project. Please do not comment on that ticket indicating this is related to a security vulnerability, as the Apache Security Vulnerability Reporting Process must be followed.

8,193 Views

avatar
author-rank wojciech_leszcz
Explorer

Created ‎08-02-2018 06:46 AM

Ok thanks for your answer, but, in which specifically the pom.xml file should be added a row:<jetty.version>9.4.3.v20170317</jetty.version>?

8,193 Views
0 Kudos

avatar
author-rank alopresto author-rank
Guru

Created ‎08-02-2018 07:12 PM

The root pom file located at nifi/pom.xml in the project structure should be modified so the existing jetty.version value is changed from 9.4.3.v20170317 to 9.4.11.v20180605. Initial analysis suggests upgrading the Jetty version will cause runtime errors, as their handling of TLD loading has changed and is currently incompatible with how NiFi works.

8,193 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements