Jetty Dependency Outdated and Vulnerable

[hland]

The Jetty that is used in Druid is now almost two years old:

<jetty.version>9.2.5.v20141112</jetty.version>

This is a problem because this version is affected by security vulnerabilities discovered in Jetty since then, such as the following one that lets an attacker access server-side memory contents from the webserver:
CVE-2015-2080

Druid should upgrade to the latest version of Jetty found here and advise customers to update their systems:
http://www.eclipse.org/jetty/download.html

[gianm]

thanks @hland. I guess 9.2.19.v20160908 is the version to use since we still support java 7.

Druids: Should we backport to 0.9.2? I'm thinking yes?

[hland]

You are welcome Human. Glad to see that you that you are taking care of this 👍

[nishantmonu51]

I retracted my previous comment,
Actually the reason for using an old version was jetty/jetty.project#277
related Jetty issues -
jetty/jetty.project#235
jetty/jetty.project#277

Unfortunately, the fix seems to be only in 9.3.x line. So it may not be a good idea to update to 9.2.19 as it potentially can cause all jetty threads to hang.

[drcrallen]

yeah, I remember that one.

[gianm]

I just tried upgrading to jetty 9.2.19.v20160908 and the bug still happens when Expect: 100-continue is set as a header. It does only affect the router though.

[gianm]

Actually that still happens on 9.3.12.v20160915 too, because the commit that fixes jetty/jetty.project#277 hasn't hit a release yet.

[gianm]

@hland do you have insight into whether jetty/jetty.project#277 will be part of the next 9.2.x release? If so I think we should upgrade to that when it's available.

[jmcc0nn3ll]

@gianm 9.3.13.v20161014 is in maven central now

[gianm]

@jmcc0nn3ll, thanks; 9.3.13.v20161014 does work when I try it locally. But we still support Java 7 in Druid- do you know if there's a 9.2.x jetty release with everything we're looking for (the security fix[es] and the proxy fix)?

[gianm]

Closed by #3914