Jetty security issue

[aetzlecx]

Affected versions: <=2.33.2

Reproduction

For our client we're having wiremock in use and when using trivy's scanner for vulnerabilities (https://github.com/aquasecurity/trivy) we see that recently a new security warning came in:

Command:

docker run -v $PWD:/myapp aquasec/trivy:0.18.3  fs --no-progress --ignore-unfixed --format table --exit-code 1 /myapp

(Alternatively the trivy tool can also be installed. I'm using docker because trivy was not supported for my OS)

**/***/**/***/wiremock-jre8-standalone-2.33.2.jar
======================================================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+--------------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
|               LIBRARY                | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |      FIXED VERSION       |                TITLE                 |
+--------------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+
| org.eclipse.jetty.http2:http2-server | CVE-2022-2048    | HIGH     | 9.4.46.v20220331  | 11.0.10, 10.0.10, 9.4.47 | Invalid HTTP/2 requests can          |
|                                      |                  |          |                   |                          | lead to denial of service            |
|                                      |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2048 |
+--------------------------------------+------------------+----------+                   +                          +--------------------------------------+
| org.eclipse.jetty:jetty-http         | CVE-2022-2047    | LOW      |                   |                          | Invalid URI parsing may produce      |
|                                      |                  |          |                   |                          | invalid HttpURI.authority            |
|                                      |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2047 |
+--------------------------------------+------------------+----------+                   +--------------------------+--------------------------------------+
| org.eclipse.jetty:jetty-server       | CVE-2022-2191    | HIGH     |                   | 11.0.10, 10.0.10         | SslConnection does not release       |
|                                      |                  |          |                   |                          | pooled ByteBuffers in case of errors |
|                                      |                  |          |                   |                          | -->avd.aquasec.com/nvd/cve-2022-2191 |
+--------------------------------------+------------------+----------+-------------------+--------------------------+--------------------------------------+

[famod]

This would be fixed via #1907! But then again, wiremock should move on to jetty 10+ ASAP because jetty 9 has reached EOL of community-support: https://github.com/wiremock/wiremock/pull/1907#issuecomment-1164657332

cc @tomakehurst

[tomakehurst]

https://nvd.nist.gov/vuln/detail/CVE-2022-2191 seems to be saying that this vuln is only in 10 and above. If so, a 9.x bump should resolve these.

[famod]

@tomakehurst

https://nvd.nist.gov/vuln/detail/CVE-2022-2191 seems to be saying that this vuln is only in 10 and above.

Do you mean "only fixed in 10 and above"? If yes then this is true. Meaning: Only merging the mentioned PR will leave CVE-2022-2191 unfixed (I did just realize that in my own trivy scan Jenkins job after forcing 9.4.48 via jetty-bom).

It seems to me that my use cases are still working when forcing 10.0.11 upon wiremock 2.33.2. Does that sound right? Or are there any code changes needed in wiremock to support jetty 10?

[tomakehurst]

No, only exists in 10+

Here's what the description says:

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

[tomakehurst]

This is further supported by: https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28

[famod]

Ok, a trivy false positive then. Thanks for clarifying!

Apart from that, do you have plans to move on to jetty 10?

[tomakehurst]

We won't be doing 10, but will be doing 11 soon.

This will probably be under a separate artifact name though since 11 raises the minimum JDK version to 11.

[Yedidyah27]

Any ETA for when new version with jetty security fix will be released?

[aetzlecx]

After 1 week, is there a solution on the horizon? If not is there something I can do to support?

[EdKingscote]

Hi @tomakehurst,

Is there an expected timeline for bumping Jetty to 9.4.47 to fix CVE-2022-2048?

Many thanks

[z1230601]

I would like to have this too. Jetty 11 would be great.

[FrostbittenKing]

Jetty 11 would be nice for the jakarta dependencies, that are required for the spring boot 3 update.

[famod]

For those waiting for an update: Just import latest 9.x jetty-bom in depedencyManaggement (if using Maven) and you're good!

[tomakehurst]

Jetty 11 support will come in the next release: #1760

[nalbion]

Can you also please update commons-io to 2.7 or higher? https://security.snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109

[tomakehurst]

@nalbion we're already on 2.11.0: https://github.com/wiremock/wiremock/blob/2.33.2/build.gradle#L88