[NMS-13009] CVE-2020-27216: Jetty webserver vulnerability - The OpenNMS Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Meridian-2018.1.24, Meridian-2019.1.14, Meridian-2020.1.2, 27.0.1
Component/s: None
Security Level: Default (Default Security Scheme)
Labels:
- horizon-sprint

Sprint:
Horizon 2020 - Nov 11-Nov 24
Docs Needed:

No

Description

GitHub detected a high severity vulnerability against our Jetty web server, see https://github.com/advisories/GHSA-g3wg-6mcf-8jj6. To mitigate the vulnerability we have to upgrade our Jetty web server from 9.4.30.v20200611 to 9.4.34.v20201102.

The dependency bot from GitHub was not able to upgrade the latest version because we have a version limit in our pom.xml for the web app:

<dependency>
 <groupId>org.eclipse.jetty</groupId>
 <artifactId>jetty-webapp</artifactId>
 <version>[9.4.33,)</version>
</dependency>

or set a custom temp directory as workaround

java -Djava.io.tmpdir=/var/web/work -jar start.jar

Attachments

Activity

People

Assignee:: Benjamin Reed

Reporter:: Ronny Trommer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Nov/20 8:03 AM

Updated:: 01/Dec/20 4:26 PM

Resolved:: 18/Nov/20 7:37 PM