[jira] [Resolved] (HIVE-24098) Bump Jetty to 9.4.31.v20200723 to get rid of Tomcat CVE warnings

Fri, 27 Jan 2023 10:30:04 -0800 


     [ 
https://issues.apache.org/jira/browse/HIVE-24098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sai Hemanth Gantasala resolved HIVE-24098.
------------------------------------------
    Resolution: Won't Fix

> Bump Jetty to 9.4.31.v20200723 to get rid of Tomcat CVE warnings
> ----------------------------------------------------------------
>
>                 Key: HIVE-24098
>                 URL: https://issues.apache.org/jira/browse/HIVE-24098
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>
> Jetty jar has some fixes for transitive CVEs (apache-jsp see details below).
> When using the Apache JServ Protocol (AJP), care must be taken when trusting 
> incoming connections to Apache Tomcat. Tomcat treats AJP connections as 
> having higher trust than, for example, a similar HTTP connection. If such 
> connections are available to an attacker, they can be exploited in ways that 
> may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, 
> and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default 
> that listened on all configured IP addresses. It was expected (and 
> recommended in the security guide) that this Connector would be disabled if 
> not required. This vulnerability report identified a mechanism that allowed: 
> - returning arbitrary files from anywhere in the web application - processing 
> any file in the web application as a JSP Further, if the web application 
> allowed file upload and stored those files within the web application (or the 
> attacker was able to control the content of the web application by some other 
> means) then this, along with the ability to process a file as a JSP, made 
> remote code execution possible. It is important to note that mitigation is 
> only required if an AJP port is accessible to untrusted users.
> So we need to upgrade jetty 9.4.30+ to get rid of Tomcat CVE warnings
>  * 
> [https://github.com/eclipse/jetty.project/commit/fedc7c65997d433bbdfc26fb3d861f8488f9c804]
>  * 
> [https://github.com/eclipse/jetty.project/commit/74a2ce7a4299014d0b8e4549961e7034ae24c3d1]
> There are also a bunch of other misc fixes:
> [https://github.com/eclipse/jetty.project/releases]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to