[
https://issues.apache.org/jira/browse/GEODE-10470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10470:
---------------------------------
Description:
*Problem Statement:* Apache Geode currently uses Eclipse Jetty 9.4.57.v20241219
as its embedded HTTP server. This version has several issues that need to be
addressed:
# *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
where HTTP/2 clients may trigger the server to send RST_STREAM frames,
potentially leading to denial of service attacks through malformed frame
processing.
# *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
limited future security updates and bug fixes.
# *Performance Improvements:* Jetty 12.x offers significant performance
enhancements, better HTTP/2 support, and improved memory efficiency.
*Current Usage in Geode:* Jetty is extensively used throughout the Apache Geode
codebase in the following components:
* {*}geode-http-service{*}: Core HTTP service implementation
(InternalHttpService.java)
* {*}geode-pulse{*}: Web-based management console (test framework)
* {*}Session management testing{*}: Integration with web servers for session
module testing
* {*}REST API endpoints{*}: Supporting web management and API services
* {*}Web application deployment{*}: WAR file deployment and servlet container
functionality
*Affected Modules:*
* geode-http-service (primary usage)
* geode-pulse-test
* geode-modules-session (testing)
* geode-assembly (distribution and testing)
h3. *Scope of Changes*
# *Dependency Updates:*
** Update jetty.version in DependencyConstraints.groovy from
{{9.4.57.v20241219}} to {{12 or higher}}
** Update all Jetty-related dependencies:
*** org.eclipse.jetty:jetty-server
*** org.eclipse.jetty:jetty-webapp
*** org.eclipse.jetty:jetty-distribution
# *Code Migration:*
** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
code updates
** {*}SSL Configuration{*}: Update SSL context factory usage
(SslContextFactory.Server)
** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
** {*}WebApp Context{*}: Update web application deployment mechanisms
** {*}Connector Configuration{*}: Update server connector setup
# *Configuration Updates:*
** Update hardcoded Jetty versions in test files
** Modify Jetty distribution downloads in assembly
** Update session testing configurations
h3. *Technical Considerations*
*Breaking Changes Expected:*
* Package reorganization (jakarta.* vs javax.*)
* API method signatures changes
* Configuration class restructuring
* SSL/TLS configuration updates
*Benefits:*
* {*}Security{*}: Addresses CVE-2025-5115 and future vulnerabilities
* {*}Performance{*}: Improved HTTP/2 support and better resource utilization
* {*}Support{*}: Long-term support and active development
* {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
* {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
collection
h3. *Acceptance Criteria*
* All Jetty dependencies updated to version 12.x
* InternalHttpService successfully starts with Jetty 12
* SSL/TLS functionality works correctly with new SSL configuration
* Geode Pulse web console loads and functions properly
* REST API endpoints remain functional
* Session management tests pass with updated Jetty
* No regression in HTTP service performance
* All existing unit and integration tests pass
* CVE-2025-5115 vulnerability resolved
* Documentation updated for any configuration changes
h3. *Testing Requirements*
# {*}Unit Tests{*}: All existing HTTP service tests must pass
# {*}Integration Tests{*}: Web application deployment and servlet functionality
# {*}Security Testing{*}: Verify CVE-2025-5115 is resolved
# {*}Performance Testing{*}: Ensure no regression in HTTP service performance
# {*}Compatibility Testing{*}: Test with all supported web applications
(Pulse, REST APIs)
h3. *Risk Assessment*
* {*}High{*}: API breaking changes may require significant code refactoring
* {*}Medium{*}: Potential compatibility issues with existing web applications
* {*}Low{*}: Well-documented migration path from Jetty project
h3. *Estimated Effort*
* Development: 2-3 weeks
* Testing: 1-2 weeks
* Documentation: 1 week
h3. *Dependencies*
* Review Jakarta EE migration requirements
* Coordinate with Spring Security upgrade (if needed for compatibility)
* Validate with current Java 17 compatibility
----
This comprehensive JIRA description covers all the essential aspects of the
Jetty migration, including the security vulnerability (CVE-2025-5115), current
usage analysis, and detailed migration requirements.
was:
h3. Problem Statement
Apache Geode currently uses Eclipse Jetty 9.4.57.v20241219 as its embedded HTTP
server. This version has several issues that need to be addressed:
Security Vulnerability: CVE-2025-5115 affects Jetty versions ≤9.4.57, where
HTTP/2 clients may trigger the server to send RST_STREAM frames, potentially
leading to denial of service attacks through malformed frame processing.
End-of-Life Support: Jetty 9.4.x series is approaching end-of-life, with
limited future security updates and bug fixes.
Performance Improvements: Jetty 12.x offers significant performance
enhancements, better HTTP/2 support, and improved memory efficiency.
h3. Current Usage in Geode
Jetty is extensively used throughout the Apache Geode codebase in the following
components:
geode-http-service: Core HTTP service implementation (InternalHttpService.java)
geode-pulse: Web-based management console (test framework)
Session management testing: Integration with web servers for session module
testing
REST API endpoints: Supporting web management and API services
Web application deployment: WAR file deployment and servlet container
functionality
h3. Affected Modules
geode-http-service (primary usage)
geode-pulse/geode-pulse-test
extensions/geode-modules-session (testing)
geode-assembly (distribution and testing)
h3. Scope of Changes
h4. 1. Dependency Updates
Update jetty.version in DependencyConstraints.groovy from 9.4.57.v20241219 to
12.0.x
Update all Jetty-related dependencies: ** org.eclipse.jetty:jetty-server **
org.eclipse.jetty:jetty-webapp
** org.eclipse.jetty:jetty-distribution
h4. 2. Code Migration
API Changes: Jetty 12 introduces breaking API changes that require code updates
SSL Configuration: Update SSL context factory usage (SslContextFactory.Server)
HTTP Configuration: Migrate HTTP configuration classes
WebApp Context: Update web application deployment mechanisms
Connector Configuration: Update server connector setup
h4. 3. Configuration Updates
Update hardcoded Jetty versions in test files
Modify Jetty distribution downloads in assembly
Update session testing configurations
h3. Technical Considerations
h4. Breaking Changes Expected
Package reorganization (jakarta.* vs javax.*)
API method signatures changes
Configuration class restructuring
SSL/TLS configuration updates
h4. Benefits
Security: Addresses CVE-2025-5115 and future vulnerabilities
Performance: Improved HTTP/2 support and better resource utilization
Support: Long-term support and active development
Standards Compliance: Better adherence to Jakarta EE specifications
Memory Efficiency: Reduced memory footprint and improved garbage collection
h3. Acceptance Criteria
All Jetty dependencies updated to version 12.x
InternalHttpService successfully starts with Jetty 12
SSL/TLS functionality works correctly with new SSL configuration
Geode Pulse web console loads and functions properly
REST API endpoints remain functional
Session management tests pass with updated Jetty
No regression in HTTP service performance
All existing unit and integration tests pass
CVE-2025-5115 vulnerability resolved
Documentation updated for any configuration changes
h3. Testing Requirements
Unit Tests: All existing HTTP service tests must pass
Integration Tests: Web application deployment and servlet functionality
Security Testing: Verify CVE-2025-5115 is resolved
Performance Testing: Ensure no regression in HTTP service performance
Compatibility Testing: Test with all supported web applications (Pulse, REST
APIs)
h3. Risk Assessment
High: API breaking changes may require significant code refactoring
Medium: Potential compatibility issues with existing web applications
Low: Well-documented migration path from Jetty project
h3. Estimated Effort
Development: 2-3 weeks
Testing: 1-2 weeks
Documentation: 1 week
h3. Dependencies
Review Jakarta EE migration requirements
Coordinate with Spring Security upgrade (if needed for compatibility)
Validate with current Java 17 compatibility
> Migrate Jetty from 9.4.57 to 12 or higher
> -----------------------------------------
>
> Key: GEODE-10470
> URL: https://issues.apache.org/jira/browse/GEODE-10470
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Priority: Major
>
> *Problem Statement:* Apache Geode currently uses Eclipse Jetty
> 9.4.57.v20241219 as its embedded HTTP server. This version has several issues
> that need to be addressed:
> # *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
> where HTTP/2 clients may trigger the server to send RST_STREAM frames,
> potentially leading to denial of service attacks through malformed frame
> processing.
> # *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
> limited future security updates and bug fixes.
> # *Performance Improvements:* Jetty 12.x offers significant performance
> enhancements, better HTTP/2 support, and improved memory efficiency.
> *Current Usage in Geode:* Jetty is extensively used throughout the Apache
> Geode codebase in the following components:
> * {*}geode-http-service{*}: Core HTTP service implementation
> (InternalHttpService.java)
> * {*}geode-pulse{*}: Web-based management console (test framework)
> * {*}Session management testing{*}: Integration with web servers for session
> module testing
> * {*}REST API endpoints{*}: Supporting web management and API services
> * {*}Web application deployment{*}: WAR file deployment and servlet
> container functionality
> *Affected Modules:*
> * geode-http-service (primary usage)
> * geode-pulse-test
> * geode-modules-session (testing)
> * geode-assembly (distribution and testing)
> h3. *Scope of Changes*
> # *Dependency Updates:*
> ** Update jetty.version in DependencyConstraints.groovy from
> {{9.4.57.v20241219}} to {{12 or higher}}
> ** Update all Jetty-related dependencies:
> *** org.eclipse.jetty:jetty-server
> *** org.eclipse.jetty:jetty-webapp
> *** org.eclipse.jetty:jetty-distribution
> # *Code Migration:*
> ** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
> code updates
> ** {*}SSL Configuration{*}: Update SSL context factory usage
> (SslContextFactory.Server)
> ** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
> ** {*}WebApp Context{*}: Update web application deployment mechanisms
> ** {*}Connector Configuration{*}: Update server connector setup
> # *Configuration Updates:*
> ** Update hardcoded Jetty versions in test files
> ** Modify Jetty distribution downloads in assembly
> ** Update session testing configurations
> h3. *Technical Considerations*
> *Breaking Changes Expected:*
> * Package reorganization (jakarta.* vs javax.*)
> * API method signatures changes
> * Configuration class restructuring
> * SSL/TLS configuration updates
> *Benefits:*
> * {*}Security{*}: Addresses CVE-2025-5115 and future vulnerabilities
> * {*}Performance{*}: Improved HTTP/2 support and better resource utilization
> * {*}Support{*}: Long-term support and active development
> * {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
> * {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
> collection
> h3. *Acceptance Criteria*
> * All Jetty dependencies updated to version 12.x
> * InternalHttpService successfully starts with Jetty 12
> * SSL/TLS functionality works correctly with new SSL configuration
> * Geode Pulse web console loads and functions properly
> * REST API endpoints remain functional
> * Session management tests pass with updated Jetty
> * No regression in HTTP service performance
> * All existing unit and integration tests pass
> * CVE-2025-5115 vulnerability resolved
> * Documentation updated for any configuration changes
> h3. *Testing Requirements*
> # {*}Unit Tests{*}: All existing HTTP service tests must pass
> # {*}Integration Tests{*}: Web application deployment and servlet
> functionality
> # {*}Security Testing{*}: Verify CVE-2025-5115 is resolved
> # {*}Performance Testing{*}: Ensure no regression in HTTP service performance
> # {*}Compatibility Testing{*}: Test with all supported web applications
> (Pulse, REST APIs)
> h3. *Risk Assessment*
> * {*}High{*}: API breaking changes may require significant code refactoring
> * {*}Medium{*}: Potential compatibility issues with existing web applications
> * {*}Low{*}: Well-documented migration path from Jetty project
> h3. *Estimated Effort*
> * Development: 2-3 weeks
> * Testing: 1-2 weeks
> * Documentation: 1 week
> h3. *Dependencies*
> * Review Jakarta EE migration requirements
> * Coordinate with Spring Security upgrade (if needed for compatibility)
> * Validate with current Java 17 compatibility
> ----
> This comprehensive JIRA description covers all the essential aspects of the
> Jetty migration, including the security vulnerability (CVE-2025-5115),
> current usage analysis, and detailed migration requirements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
