Jinwoo Hwang created GEODE-10470:
------------------------------------
Summary: Migrate Jetty from 9.4.57 to 12 or higher
Key: GEODE-10470
URL: https://issues.apache.org/jira/browse/GEODE-10470
Project: Geode
Issue Type: Improvement
Reporter: Jinwoo Hwang
h3. Problem Statement
Apache Geode currently uses Eclipse Jetty 9.4.57.v20241219 as its embedded HTTP
server. This version has several issues that need to be addressed:
Security Vulnerability: CVE-2025-5115 affects Jetty versions ≤9.4.57, where
HTTP/2 clients may trigger the server to send RST_STREAM frames, potentially
leading to denial of service attacks through malformed frame processing.
End-of-Life Support: Jetty 9.4.x series is approaching end-of-life, with
limited future security updates and bug fixes.
Performance Improvements: Jetty 12.x offers significant performance
enhancements, better HTTP/2 support, and improved memory efficiency.
h3. Current Usage in Geode
Jetty is extensively used throughout the Apache Geode codebase in the following
components:
geode-http-service: Core HTTP service implementation (InternalHttpService.java)
geode-pulse: Web-based management console (test framework)
Session management testing: Integration with web servers for session module
testing
REST API endpoints: Supporting web management and API services
Web application deployment: WAR file deployment and servlet container
functionality
h3. Affected Modules
geode-http-service (primary usage)
geode-pulse/geode-pulse-test
extensions/geode-modules-session (testing)
geode-assembly (distribution and testing)
h3. Scope of Changes
h4. 1. Dependency Updates
Update jetty.version in DependencyConstraints.groovy from 9.4.57.v20241219 to
12.0.x
Update all Jetty-related dependencies: ** org.eclipse.jetty:jetty-server **
org.eclipse.jetty:jetty-webapp
** org.eclipse.jetty:jetty-distribution
h4. 2. Code Migration
API Changes: Jetty 12 introduces breaking API changes that require code updates
SSL Configuration: Update SSL context factory usage (SslContextFactory.Server)
HTTP Configuration: Migrate HTTP configuration classes
WebApp Context: Update web application deployment mechanisms
Connector Configuration: Update server connector setup
h4. 3. Configuration Updates
Update hardcoded Jetty versions in test files
Modify Jetty distribution downloads in assembly
Update session testing configurations
h3. Technical Considerations
h4. Breaking Changes Expected
Package reorganization (jakarta.* vs javax.*)
API method signatures changes
Configuration class restructuring
SSL/TLS configuration updates
h4. Benefits
Security: Addresses CVE-2025-5115 and future vulnerabilities
Performance: Improved HTTP/2 support and better resource utilization
Support: Long-term support and active development
Standards Compliance: Better adherence to Jakarta EE specifications
Memory Efficiency: Reduced memory footprint and improved garbage collection
h3. Acceptance Criteria
All Jetty dependencies updated to version 12.x
InternalHttpService successfully starts with Jetty 12
SSL/TLS functionality works correctly with new SSL configuration
Geode Pulse web console loads and functions properly
REST API endpoints remain functional
Session management tests pass with updated Jetty
No regression in HTTP service performance
All existing unit and integration tests pass
CVE-2025-5115 vulnerability resolved
Documentation updated for any configuration changes
h3. Testing Requirements
Unit Tests: All existing HTTP service tests must pass
Integration Tests: Web application deployment and servlet functionality
Security Testing: Verify CVE-2025-5115 is resolved
Performance Testing: Ensure no regression in HTTP service performance
Compatibility Testing: Test with all supported web applications (Pulse, REST
APIs)
h3. Risk Assessment
High: API breaking changes may require significant code refactoring
Medium: Potential compatibility issues with existing web applications
Low: Well-documented migration path from Jetty project
h3. Estimated Effort
Development: 2-3 weeks
Testing: 1-2 weeks
Documentation: 1 week
h3. Dependencies
Review Jakarta EE migration requirements
Coordinate with Spring Security upgrade (if needed for compatibility)
Validate with current Java 17 compatibility
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
