Re: Jetty(Jetty 9.4.52) vulnerability in Karaf 4.3.10
In that case, please double check first if you are actually impacted by the CVE. It's possible to tweak your karaf version by updating, but you have to do it "cold". Regards JB On Mon, Mar 4, 2024 at 6:21 AM Chandan Singh wrote: > > Hi JB , > > Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 version? > We are already in prod and I cannot upgrade to a new Karaf version . > > Regards > Chandan > > On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré > wrote: >> >> Hi >> >> You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. >> >> Or you can update to the latest Karaf version. >> >> Regards >> JB >> >> On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh >> wrote: >>> >>> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >>> latest jetty version ? >>> >>> Regards >>> Chandan >>> >>> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek >>> wrote: Hello Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It comes with a warning: Please beware, for this feature to run properly you'll need to add the alpn-boot.jar to the lib/ext folder of Karaf in some cases of your JVM. So it's kind of not working by default. But it depends on how smart (or dumb, which is more often probably...) the scanner is. When you start fresh Karaf you don't even have HTTP server running at all. So it's kind of "safe by default". But you can install any bundle there - whether or not it comes from standard Karaf features. In other words - I don't have good answer... I just wanted to communicate that it's not an easy question ;) regards Grzegorz Grzybek czw., 22 lut 2024 o 13:47 Richard Hierlmeier napisał(a): > > We did already a security scan, it detected CVE-2023-36478 and > CVE-2023-44487 > > Both CVEs are related to HTTP2. I have thought that HTTP2 is not possible > in Karaf 4.3. > > Can someone confirm this assumption. > > Regards > > Richard > > > Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh > : >> >> Hi All , >> >> During a recent Security Scan we found a vulnerability reported >> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >> any recommendations on the same ? >> >> >> >> >> Regards >> Chandan
Re: Jetty(Jetty 9.4.52) vulnerability in Karaf 4.3.10
Hello If you're already in production, I'd think twice before upgrading to Pax Web 8 - it changes A LOT. You _may_ be dependent on some not-spec-compliant behavior of Pax Web 7 used in Karaf 4.3. Also (though I'm not a security expert, so I can't take responsibility if you in any way use my advice ;), CVE-2023-36478 is about HTTP/2 protocol and Pax Web 7 doesn't even include support for this part of Jetty. After you did scanning of jetty version, please scan Karaf it HTTP/2 protocol is enabled in the first place. kind regards Grzegorz Grzybek pon., 4 mar 2024 o 06:23 Chandan Singh napisał(a): > Hi JB , > > Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 > version? We are already in prod and I cannot upgrade to a new Karaf version > . > > Regards > Chandan > > On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré > wrote: > >> Hi >> >> You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. >> >> Or you can update to the latest Karaf version. >> >> Regards >> JB >> >> On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < >> mailbox.chandansi...@gmail.com> wrote: >> >>> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >>> latest jetty version ? >>> >>> Regards >>> Chandan >>> >>> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek >>> wrote: >>> Hello Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It comes with a warning: Please beware, for this feature to run properly you'll need to add the alpn-boot.jar to the lib/ext folder of Karaf in some cases of your JVM. So it's kind of not working by default. But it depends on how smart (or dumb, which is more often probably...) the scanner is. When you start fresh Karaf you don't even have HTTP server running at all. So it's kind of "safe by default". But you can install any bundle there - whether or not it comes from standard Karaf features. In other words - I don't have good answer... I just wanted to communicate that it's not an easy question ;) regards Grzegorz Grzybek czw., 22 lut 2024 o 13:47 Richard Hierlmeier < rhierlme...@googlemail.com> napisał(a): > We did already a security scan, it detected CVE-2023-36478 and > CVE-2023-44487 > > Both CVEs are related to HTTP2. I have thought that HTTP2 is not > possible in Karaf 4.3. > > Can someone confirm this assumption. > > Regards > > Richard > > > Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < > mailbox.chandansi...@gmail.com>: > >> Hi All , >> >> During a recent Security Scan we found a vulnerability reported >> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >> any recommendations on the same ? >> >> [image: image.png] >> >> >> Regards >> Chandan >> >
Re: Jetty(Jetty 9.4.52) vulnerability in Karaf 4.3.10
Hi JB , Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 version? We are already in prod and I cannot upgrade to a new Karaf version . Regards Chandan On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré wrote: > Hi > > You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. > > Or you can update to the latest Karaf version. > > Regards > JB > > On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < > mailbox.chandansi...@gmail.com> wrote: > >> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >> latest jetty version ? >> >> Regards >> Chandan >> >> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek >> wrote: >> >>> Hello >>> >>> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. >>> It comes with a warning: >>> >>> Please beware, for this feature to run properly you'll need to add the >>> alpn-boot.jar to the >>> lib/ext folder of Karaf in some cases of your JVM. >>> >>> So it's kind of not working by default. But it depends on how smart (or >>> dumb, which is more often probably...) the scanner is. When you start fresh >>> Karaf you don't even have HTTP server running at all. So it's kind of "safe >>> by default". But you can install any bundle there - whether or not it comes >>> from standard Karaf features. >>> >>> In other words - I don't have good answer... I just wanted to >>> communicate that it's not an easy question ;) >>> >>> regards >>> Grzegorz Grzybek >>> >>> czw., 22 lut 2024 o 13:47 Richard Hierlmeier >>> napisał(a): >>> We did already a security scan, it detected CVE-2023-36478 and CVE-2023-44487 Both CVEs are related to HTTP2. I have thought that HTTP2 is not possible in Karaf 4.3. Can someone confirm this assumption. Regards Richard Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < mailbox.chandansi...@gmail.com>: > Hi All , > > During a recent Security Scan we found a vulnerability reported > regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have > any recommendations on the same ? > > [image: image.png] > > > Regards > Chandan >
