577157 – Jetty CVE-2021-34429

Bug 577157 - Jetty CVE-2021-34429

Summary: Jetty CVE-2021-34429

Status:	RESOLVED FIXED

Alias:	None

Product:	MAT
Classification:	Tools
Component:	Core (show other bugs)
Version:	1.12
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	1.13.0
Assignee:	Andrew Johnson
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:	578912
Blocks:
	Show dependency tree

Reported:	2021-11-09 15:36 EST by Kevin Grigorenko
Modified:	2022-04-28 07:24 EDT (History)
CC List:	0 users

See Also:	Gerrit Change Git Commit Gerrit Change Git Commit

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Grigorenko

2021-11-09 15:36:11 EST

Jetty CVE-2021-34429 is being flagged in some user's MAT installation: https://www.eclipse.org/jetty/security_reports.php

Eclipse 2021-09 has Jetty 10.0.6 with the fix: https://download.eclipse.org/eclipse/updates/4.21/R-4.21-202109060500/plugins/

It would be good to resolve this CVE by upgrading MAT standalone to Eclipse 2021-09

Comment 1 Andrew Johnson

2021-11-10 04:13:42 EST

Sounds a reasonable idea for the next release - we need a new mat-2021-09.target or later file.
Is Eclipse Linux PPCLE still available with later releases?

Jetty is just used for the help subsystem and listens on localhost so this should just be a possible local vulnerability. Can anything interesting be retrieved from MAT using these URLs?

Comment 2 Kevin Grigorenko

2021-11-10 12:00:47 EST

> Jetty is just used for the help subsystem and listens on localhost so this
> should just be a possible local vulnerability.

I think you're right but it seems many customers (as in this example) now have security teams that are constantly running vulnerability scan tools which aren't aware of all the subtleties, and it's not always easy for them to get an exception.

Comment 3 Andrew Johnson

2022-02-22 13:11:53 EST

I've created files to allow us to build against 2021-12.
Build https://ci.eclipse.org/mat/job/tycho-mat-nightly/1246/
used those files (but subsequent builds will revert to 2021-03), and passed the tests.
We need to see if this works, and what limitations there are in moving up to this level.
We already require Java 11.

Comment 4 Andrew Johnson

2022-02-22 13:19:16 EST

With Eclipse 2021-12 the following are the Jetty files:
./plugins/org.eclipse.jetty.io_10.0.6.jar
./plugins/org.eclipse.equinox.http.jetty_3.8.0.v20210414-1616.jar
./plugins/org.eclipse.jetty.util_10.0.6.jar
./plugins/org.eclipse.jetty.servlet_10.0.6.jar
./plugins/org.eclipse.jetty.util.ajax_10.0.6.jar
./plugins/org.eclipse.jetty.http_10.0.6.jar
./plugins/org.eclipse.jetty.security_10.0.6.jar
./plugins/org.eclipse.jetty.server_10.0.6.jar

Comment 5 Eclipse Genie

2022-04-20 09:39:52 EDT

New Gerrit change created: https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192842

Comment 6 Eclipse Genie

2022-04-20 09:41:04 EDT

Gerrit change https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192842 was merged to [master].
Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=a4eff1556ddcdeffb8ebe2a452c05fd8852566a7

Comment 7 Andrew Johnson

2022-04-23 07:35:03 EDT

Please try the latest snapshot build to see if this problem is fixed.

Comment 8 Andrew Johnson

2022-04-27 23:12:57 EDT

As a result of this fix, MAT stand-alone is now based on Eclipse 2022-03.

Comment 9 Eclipse Genie

2022-04-28 07:23:46 EDT

New Gerrit change created: https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192966

Comment 10 Eclipse Genie

2022-04-28 07:24:28 EDT

Gerrit change https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/192966 was merged to [master].
Commit: http://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=32120bb5303607892b5a69ceb52da0f8902be293