Support Questions

Find answers, ask questions, and share your expertise

How to upgrade Eclipse Jetty Server to a higher version?

avatar

Hi guys,

using OpenVAS, I performed a vulnerability scan of my CentOS7 server (there is Apache Nifi in version 1.7.1 with 8081 port). I obtained the following report:

High (CVSS: 10.0)
NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
Product detection result
cpe:/a:eclipse:jetty:6.1.26.
Detected by Jetty Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800953)
Summary
The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability.
Vulnerability Detection Result
Installed version: 9.4.3.20170317
Fixed version: 9.4.11.v20180605
Installation
path / port: 8081/tcp
Impact
Successful exploitation will allow an attacker to disclose sensitive information.
Impact Level: Application
Solution
Solution type: VendorFix
Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later as per the
series. For updates refer to Reference links.
Affected Software/OS
Eclipse Jetty Server versions 9.2.x, 9.3.x before 9.3.24.v20180605 and 9.4.x before
9.4.11.v20180605
Vulnerability Insight
The flaw exists due to an improper handling of bad queries.
Vulnerability Detection Method
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
Details:Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
OID:1.3.6.1.4.1.25623.1.0.813552
Version used: $Revision: 10443 $
Product Detection Result
Product: cpe:/a:eclipse:jetty:6.1.26.
Method: Jetty Version Detection
OID: 1.3.6.1.4.1.25623.1.0.800953)
References
CVE: CVE-2018-12536
Other:
URL:https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
URL:https://www.eclipse.org/jetty/

[..] solution: Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later..

Unfortunately, I could not find a solution to the problem regarding upgrade Eclipse Jetty Server for Apache Nifi.

Has anyone had a similar problem? The case is fresh.

3 REPLIES 3

avatar

You can do this manually on your instance by changing the Jetty dependency version in nifi/pom.xml (<jetty.version>9.4.3.v20170317</jetty.version>). There is an Apache Jira (NIFI-5479) to upgrade this in the core project. Please do not comment on that ticket indicating this is related to a security vulnerability, as the Apache Security Vulnerability Reporting Process must be followed.

avatar

Ok thanks for your answer, but, in which specifically the pom.xml file should be added a row:<jetty.version>9.4.3.v20170317</jetty.version>?

avatar

The root pom file located at nifi/pom.xml in the project structure should be modified so the existing jetty.version value is changed from 9.4.3.v20170317 to 9.4.11.v20180605. Initial analysis suggests upgrading the Jetty version will cause runtime errors, as their handling of TLD loading has changed and is currently incompatible with how NiFi works.