Reputation: 37034
How to get rid of critical vulnerabilities of jetty-websocket ? (CVE-2017-7657 CVE-2017-7658)
I am working on the fork of guacamole-client
I(and also original project) has depedency:
<!-- Jetty 8 servlet API (websocket) -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-websocket</artifactId>
<version>8.1.1.v20120215</version>
<scope>provided</scope>
</dependency>
Based on result of security analyzer this dependency has 2 critical vulnurabilities:
Based on https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-websocket/8.1.1.v20120215
This vulnerabilities come from its dependencies:
Looks like those vulnerabilities are taken from:
org.eclipse.jetty » jetty-server » 8.1.1.v20120215
I see that the latest version of jetty-websocket is 8.2.0.v20160908 but it was released in 2016 and it still contains this issue because it references jetty-server 8.2.0.v20160908
Those vulnerabilities are fixed in jetty-server » 9.3.24.v20180605
but there are no correspondng version of jetty-websocket so I have no idea how can I fix this issue.
Is there way to get rid of those vunerabilities ?
P.S.
I have imports:
import org.eclipse.jetty.websocket.WebSocket;
import org.eclipse.jetty.websocket.WebSocket.Connection;
import org.eclipse.jetty.websocket.WebSocketServlet;
What do I have to replace them with ?
Upvotes: 1
Views: 153
Answers (1)
Reputation: 49452
- Jetty 8 was EOL back in 2014.
- Jetty 9 went EOL in 2022.
- Jetty 10 and Jetty 11 went EOL in 2024.
The only version supported right now is Jetty 12. - https://jetty.org/download.html#what-version-do-i-use
If you need support for the old javax.servlet namespace, use the ee8 environment in Jetty 12.
Note that WebSocket has undergone large changes since Jetty 8.
- The Jetty 8 implementation of WebSocket was back when WebSocket was still a draft spec.
- Jetty 9 made changes to support the released WebSocket spec. (and the original
jetty-websocketartifact was split up) - Jetty 10 made changes to support WebSocket on HTTP/2 (and more splits in the websocket artifacts were made)
- Jetty 12 made changes to support WebSocket on any protocol (even oddball ones like UnixSocket) (and even more websocket artifacts were made)
These changes also changed the maven coordinates.
See the migration guides for coordinate changes.
- Migration Guide 9.4 to 10/11 : https://jetty.org/docs/jetty/12/programming-guide/migration/94-to-10.html
- Migration Guide 10/11 to 12 : https://jetty.org/docs/jetty/12/programming-guide/migration/11-to-12.html
Upvotes: 1
Related Questions
- How can I get the current stack trace in Java?
- How do I get a class instance of generic type T?
- Vulnerablities for tomcat-embed-core in OWASP DependencyTrack
- Why is a vulnerability identified by the OWASP Dependency-Check tool for Mule Runtime 4.4.0 if it doesn't actually belong to that version?
- How to resolve spring-boot-starter-mail:3.0.6 dependency vulnerabilities?
- How to get the current working directory in Java?
- Why do we have to fix security vulnerabilities on the test scope dependencies?
- How to overwrite version of transitive dependency Groovy from Thymeleaf 1.5.8.RELEASE in Spring Boot using Gradle