[
https://issues.apache.org/jira/browse/GEODE-10470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10470:
---------------------------------
Description:
*Problem Statement:* Apache Geode currently uses Eclipse Jetty 9.4.57.v20241219
as its embedded HTTP server. This version has several issues that need to be
addressed:
* *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
where HTTP/2 clients may trigger the server to send RST_STREAM frames,
potentially leading to denial of service attacks through malformed frame
processing. It's not been confirmed whether Geode is vulnerable to this.
* *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
limited future security updates and bug fixes.
* *Performance Improvements:* Jetty 12.x offers significant performance
enhancements, better HTTP/2 support, and improved memory efficiency.
*Current Usage in Geode:* Jetty is extensively used throughout the Apache Geode
codebase in the following components:
* {*}geode-http-service{*}: Core HTTP service implementation
(InternalHttpService.java)
* {*}geode-pulse{*}: Web-based management console (test framework)
* {*}Session management testing{*}: Integration with web servers for session
module testing
* {*}REST API endpoints{*}: Supporting web management and API services
* {*}Web application deployment{*}: WAR file deployment and servlet container
functionality
*Affected Modules:*
* geode-http-service (primary usage)
* geode-pulse-test
* geode-modules-session (testing)
* geode-assembly (distribution and testing)
h3. *Scope of Changes*
* *Dependency Updates:*
** Update jetty.version in DependencyConstraints.groovy from
{{9.4.57.v20241219}} to {{12 or higher}}
** Update all Jetty-related dependencies:
*** org.eclipse.jetty:jetty-server
*** org.eclipse.jetty:jetty-webapp
*** org.eclipse.jetty:jetty-distribution
* {*}Code Migration:{*}{*}{*}
** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
code updates
** {*}SSL Configuration{*}: Update SSL context factory usage
(SslContextFactory.Server)
** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
** {*}WebApp Context{*}: Update web application deployment mechanisms
** {*}Connector Configuration{*}: Update server connector setup
* *Configuration Updates:*
** Update hardcoded Jetty versions in test files
** Modify Jetty distribution downloads in assembly
** Update session testing configurations
h3. *Technical Considerations*
*Breaking Changes Expected:*
* Package reorganization (jakarta.* vs javax.*)
* API method signatures changes
* Configuration class restructuring
* SSL/TLS configuration updates
*Benefits:*
* {*}Security{*}: Addresses CVE-2025-5115 and other vulnerabilities
* {*}Performance{*}: Improved HTTP/2 support and better resource utilization
* {*}Support{*}: Long-term support and active development
* {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
* {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
collection
h3. *Acceptance Criteria*
* All Jetty dependencies updated to version 12.x
* InternalHttpService successfully starts with Jetty 12
* SSL/TLS functionality works correctly with new SSL configuration
* Geode Pulse web console loads and functions properly
* REST API endpoints remain functional
* Session management tests pass with updated Jetty
* No regression in HTTP service performance
* All existing unit and integration tests pass
* CVE-2025-5115 and other vulnerabilities resolved
* Documentation updated for any configuration changes
h3. *Testing Requirements*
# {*}Unit Tests{*}: All existing HTTP service tests must pass
# {*}Integration Tests{*}: Web application deployment and servlet functionality
# {*}Performance Testing{*}: Ensure no regression in HTTP service performance
# {*}Compatibility Testing{*}: Test with all supported web applications
(Pulse, REST APIs)
h3. *Risk Assessment*
* {*}High{*}: API breaking changes may require significant code refactoring
* {*}Medium{*}: Potential compatibility issues with existing web applications
* {*}Low{*}: Well-documented migration path from Jetty project
h3. *Estimated Effort*
* Development: 2-3 weeks
* Testing: 1-2 weeks
* Documentation: 1 week
h3. *Dependencies*
* Review Jakarta EE migration requirements
* Coordinate with Spring Security upgrade (if needed for compatibility)
* Validate with current Java 17 compatibility
----
This comprehensive JIRA description covers all the essential aspects of the
Jetty migration, including the security vulnerability (CVE-2025-5115), current
usage analysis, and detailed migration requirements.
was:
*Problem Statement:* Apache Geode currently uses Eclipse Jetty 9.4.57.v20241219
as its embedded HTTP server. This version has several issues that need to be
addressed:
# *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
where HTTP/2 clients may trigger the server to send RST_STREAM frames,
potentially leading to denial of service attacks through malformed frame
processing.
# *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
limited future security updates and bug fixes.
# *Performance Improvements:* Jetty 12.x offers significant performance
enhancements, better HTTP/2 support, and improved memory efficiency.
*Current Usage in Geode:* Jetty is extensively used throughout the Apache Geode
codebase in the following components:
* {*}geode-http-service{*}: Core HTTP service implementation
(InternalHttpService.java)
* {*}geode-pulse{*}: Web-based management console (test framework)
* {*}Session management testing{*}: Integration with web servers for session
module testing
* {*}REST API endpoints{*}: Supporting web management and API services
* {*}Web application deployment{*}: WAR file deployment and servlet container
functionality
*Affected Modules:*
* geode-http-service (primary usage)
* geode-pulse-test
* geode-modules-session (testing)
* geode-assembly (distribution and testing)
h3. *Scope of Changes*
# *Dependency Updates:*
** Update jetty.version in DependencyConstraints.groovy from
{{9.4.57.v20241219}} to {{12 or higher}}
** Update all Jetty-related dependencies:
*** org.eclipse.jetty:jetty-server
*** org.eclipse.jetty:jetty-webapp
*** org.eclipse.jetty:jetty-distribution
# *Code Migration:*
** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
code updates
** {*}SSL Configuration{*}: Update SSL context factory usage
(SslContextFactory.Server)
** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
** {*}WebApp Context{*}: Update web application deployment mechanisms
** {*}Connector Configuration{*}: Update server connector setup
# *Configuration Updates:*
** Update hardcoded Jetty versions in test files
** Modify Jetty distribution downloads in assembly
** Update session testing configurations
h3. *Technical Considerations*
*Breaking Changes Expected:*
* Package reorganization (jakarta.* vs javax.*)
* API method signatures changes
* Configuration class restructuring
* SSL/TLS configuration updates
*Benefits:*
* {*}Security{*}: Addresses CVE-2025-5115 and future vulnerabilities
* {*}Performance{*}: Improved HTTP/2 support and better resource utilization
* {*}Support{*}: Long-term support and active development
* {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
* {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
collection
h3. *Acceptance Criteria*
* All Jetty dependencies updated to version 12.x
* InternalHttpService successfully starts with Jetty 12
* SSL/TLS functionality works correctly with new SSL configuration
* Geode Pulse web console loads and functions properly
* REST API endpoints remain functional
* Session management tests pass with updated Jetty
* No regression in HTTP service performance
* All existing unit and integration tests pass
* CVE-2025-5115 vulnerability resolved
* Documentation updated for any configuration changes
h3. *Testing Requirements*
# {*}Unit Tests{*}: All existing HTTP service tests must pass
# {*}Integration Tests{*}: Web application deployment and servlet functionality
# {*}Security Testing{*}: Verify CVE-2025-5115 is resolved
# {*}Performance Testing{*}: Ensure no regression in HTTP service performance
# {*}Compatibility Testing{*}: Test with all supported web applications
(Pulse, REST APIs)
h3. *Risk Assessment*
* {*}High{*}: API breaking changes may require significant code refactoring
* {*}Medium{*}: Potential compatibility issues with existing web applications
* {*}Low{*}: Well-documented migration path from Jetty project
h3. *Estimated Effort*
* Development: 2-3 weeks
* Testing: 1-2 weeks
* Documentation: 1 week
h3. *Dependencies*
* Review Jakarta EE migration requirements
* Coordinate with Spring Security upgrade (if needed for compatibility)
* Validate with current Java 17 compatibility
----
This comprehensive JIRA description covers all the essential aspects of the
Jetty migration, including the security vulnerability (CVE-2025-5115), current
usage analysis, and detailed migration requirements.
> Migrate Jetty from 9.4.57 to 12 or higher
> -----------------------------------------
>
> Key: GEODE-10470
> URL: https://issues.apache.org/jira/browse/GEODE-10470
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Priority: Major
>
> *Problem Statement:* Apache Geode currently uses Eclipse Jetty
> 9.4.57.v20241219 as its embedded HTTP server. This version has several issues
> that need to be addressed:
> * *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
> where HTTP/2 clients may trigger the server to send RST_STREAM frames,
> potentially leading to denial of service attacks through malformed frame
> processing. It's not been confirmed whether Geode is vulnerable to this.
> * *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
> limited future security updates and bug fixes.
> * *Performance Improvements:* Jetty 12.x offers significant performance
> enhancements, better HTTP/2 support, and improved memory efficiency.
> *Current Usage in Geode:* Jetty is extensively used throughout the Apache
> Geode codebase in the following components:
> * {*}geode-http-service{*}: Core HTTP service implementation
> (InternalHttpService.java)
> * {*}geode-pulse{*}: Web-based management console (test framework)
> * {*}Session management testing{*}: Integration with web servers for session
> module testing
> * {*}REST API endpoints{*}: Supporting web management and API services
> * {*}Web application deployment{*}: WAR file deployment and servlet
> container functionality
> *Affected Modules:*
> * geode-http-service (primary usage)
> * geode-pulse-test
> * geode-modules-session (testing)
> * geode-assembly (distribution and testing)
> h3. *Scope of Changes*
> * *Dependency Updates:*
> ** Update jetty.version in DependencyConstraints.groovy from
> {{9.4.57.v20241219}} to {{12 or higher}}
> ** Update all Jetty-related dependencies:
> *** org.eclipse.jetty:jetty-server
> *** org.eclipse.jetty:jetty-webapp
> *** org.eclipse.jetty:jetty-distribution
> * {*}Code Migration:{*}{*}{*}
> ** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
> code updates
> ** {*}SSL Configuration{*}: Update SSL context factory usage
> (SslContextFactory.Server)
> ** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
> ** {*}WebApp Context{*}: Update web application deployment mechanisms
> ** {*}Connector Configuration{*}: Update server connector setup
> * *Configuration Updates:*
> ** Update hardcoded Jetty versions in test files
> ** Modify Jetty distribution downloads in assembly
> ** Update session testing configurations
> h3. *Technical Considerations*
> *Breaking Changes Expected:*
> * Package reorganization (jakarta.* vs javax.*)
> * API method signatures changes
> * Configuration class restructuring
> * SSL/TLS configuration updates
> *Benefits:*
> * {*}Security{*}: Addresses CVE-2025-5115 and other vulnerabilities
> * {*}Performance{*}: Improved HTTP/2 support and better resource utilization
> * {*}Support{*}: Long-term support and active development
> * {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
> * {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
> collection
> h3. *Acceptance Criteria*
> * All Jetty dependencies updated to version 12.x
> * InternalHttpService successfully starts with Jetty 12
> * SSL/TLS functionality works correctly with new SSL configuration
> * Geode Pulse web console loads and functions properly
> * REST API endpoints remain functional
> * Session management tests pass with updated Jetty
> * No regression in HTTP service performance
> * All existing unit and integration tests pass
> * CVE-2025-5115 and other vulnerabilities resolved
> * Documentation updated for any configuration changes
> h3. *Testing Requirements*
> # {*}Unit Tests{*}: All existing HTTP service tests must pass
> # {*}Integration Tests{*}: Web application deployment and servlet
> functionality
> # {*}Performance Testing{*}: Ensure no regression in HTTP service performance
> # {*}Compatibility Testing{*}: Test with all supported web applications
> (Pulse, REST APIs)
> h3. *Risk Assessment*
> * {*}High{*}: API breaking changes may require significant code refactoring
> * {*}Medium{*}: Potential compatibility issues with existing web applications
> * {*}Low{*}: Well-documented migration path from Jetty project
> h3. *Estimated Effort*
> * Development: 2-3 weeks
> * Testing: 1-2 weeks
> * Documentation: 1 week
> h3. *Dependencies*
> * Review Jakarta EE migration requirements
> * Coordinate with Spring Security upgrade (if needed for compatibility)
> * Validate with current Java 17 compatibility
> ----
> This comprehensive JIRA description covers all the essential aspects of the
> Jetty migration, including the security vulnerability (CVE-2025-5115),
> current usage analysis, and detailed migration requirements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
