search

teknux-org / jetty-bootstrap

Jetty embedded bootstrap library. Make it easy to embed Jetty into your maven project and package a standalone app.
http://jetty-bootstrap.io
Apache License 2.0
12 stars 3 forks source link

CVE-2017-7658 #36

Closed danielgoodwin closed 5 years ago

danielgoodwin commented 5 years ago

I have an AMI using jetty-bootstrap (great job!) . However when I try to submit AMI to Amazon, I get following error reported.

https://nvd.nist.gov/vuln/detail/CVE-2017-7658

From what I can tell the embedded jetty server has the issue. I believe that the only change required is to update the jetty version.

Could I also ask how I can move the latest version into maven central? Or is there an alternative repository I can use for up to date versions.

Thanks

pinonpierre commented 5 years ago

Hi,

The last Jetty version is available from snapshot version (Ref https://github.com/teknux-org/jetty-bootstrap/issues/37)

Please note that this version will be released soon.

Mainwhile, you can define snapshot repository in your pom and use the 1.0.14-SNAPSHOT version.

       <repository>
            <id>sonatype-nexus-snapshots</id>
            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
        </repository>
danielgoodwin commented 5 years ago

I added repository, changed the jetty bootstrap version to 1.0.14-SNAPSHOT. Build out the webapp , installed - maveb log is showing Jetty version 9.4.11.v20180605. However when i re-run the openvas scanner I get same error. (I have attached screenshot).

I am noting that the Jetty version is 9.4. . I don't know if that has anything to do with the issue being reported.

Also just to make sure, I took one of the jetty-bootstrap examples (self) to make sure my embedded web app was not the cause. Again I get same reported error. I do realise this could still be just a jetty issue, but is there anything in the bootstrap code that could exhibit similar behaviour.

screen shot 2018-11-27 at 15 42 24

pinonpierre commented 5 years ago

I don't understand this issue because I take a look of files.

I take a look of the pom file deployed in the maven central "https://oss.sonatype.org/content/repositories/snapshots/org/teknux/jetty-bootstrap-parent/1.0.14-SNAPSHOT/jetty-bootstrap-parent-1.0.14-20181120.141708-1.pom" and the dependency is jetty "9.4.14.v20181114"

And I never use "9.4.11.v20180605" Jetty Version

I'm sorry but I don't know how can I help you

pinonpierre commented 5 years ago

Hmm, I'm wondering if you don't have the same issue than me.

For my professional project, Jetty returns the version 9.4.z-SNAPSHOT instead of its real version. I think your vulnerability checker cannot analyse correctly the number (9.4.z-SNAPSHOT) and truncate the version to 9.4.

And 9.4 is analysed lower that 9.4.11

I think it's a Jetty Bug

danielgoodwin commented 5 years ago

I looks like it was indeed the version check. I took the bootstrap code and added some to remove the sending of the header, and it now passes AWS OpenVAS test. FYI Code change was in JettyBootstrap.java startServer

IJettyConfiguration iJettyConfiguration = getInitializedConfiguration();
        initServer(iJettyConfiguration);

        try {
            for (Connector y : server.getConnectors()) {
                for (org.eclipse.jetty.server.ConnectionFactory x : y.getConnectionFactories()) {
                    if (x instanceof HttpConnectionFactory) {
                        ((HttpConnectionFactory) x).getHttpConfiguration().setSendServerVersion(false);
                    }
                }
            }
        } catch (Exception ex) {
            //
        }

        try {
            server.start();
        } catch (Exception e) {
            throw new JettyBootstrapException(e);
        }