[
https://issues.apache.org/jira/browse/GEODE-10470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang resolved GEODE-10470.
----------------------------------
Resolution: Fixed
> Migrate Jetty from 9.4.57 to 12 or higher
> -----------------------------------------
>
> Key: GEODE-10470
> URL: https://issues.apache.org/jira/browse/GEODE-10470
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
> Fix For: 2.0.0
>
>
> *Problem Statement:* Apache Geode currently uses Eclipse Jetty
> 9.4.57.v20241219 as its embedded HTTP server. This version has several issues
> that need to be addressed:
> * *Security Vulnerability:* CVE-2025-5115 affects Jetty versions ≤9.4.57,
> where HTTP/2 clients may trigger the server to send RST_STREAM frames,
> potentially leading to denial of service attacks through malformed frame
> processing. It's not been confirmed whether Geode is vulnerable to this.
> * *End-of-Life Support:* Jetty 9.4.x series is approaching end-of-life, with
> limited future security updates and bug fixes.
> * *Performance Improvements:* Jetty 12.x offers significant performance
> enhancements, better HTTP/2 support, and improved memory efficiency.
> *Current Usage in Geode:* Jetty is extensively used throughout the Apache
> Geode codebase in the following components:
> * {*}geode-http-service{*}: Core HTTP service implementation
> (InternalHttpService.java)
> * {*}geode-pulse{*}: Web-based management console (test framework)
> * {*}Session management testing{*}: Integration with web servers for session
> module testing
> * {*}REST API endpoints{*}: Supporting web management and API services
> * {*}Web application deployment{*}: WAR file deployment and servlet
> container functionality
> *Affected Modules:*
> * geode-http-service (primary usage)
> * geode-pulse-test
> * geode-modules-session (testing)
> * geode-assembly (distribution and testing)
> h3. *Scope of Changes*
> * *Dependency Updates:*
> ** Update jetty.version in DependencyConstraints.groovy from
> {{9.4.57.v20241219}} to {{12 or higher}}
> ** Update all Jetty-related dependencies:
> *** org.eclipse.jetty:jetty-server
> *** org.eclipse.jetty:jetty-webapp
> *** org.eclipse.jetty:jetty-distribution
> * {*}Code Migration:{*}{*}{*}
> ** {*}API Changes{*}: Jetty 12 introduces breaking API changes that require
> code updates
> ** {*}SSL Configuration{*}: Update SSL context factory usage
> (SslContextFactory.Server)
> ** {*}HTTP Configuration{*}: Migrate HTTP configuration classes
> ** {*}WebApp Context{*}: Update web application deployment mechanisms
> ** {*}Connector Configuration{*}: Update server connector setup
> * *Configuration Updates:*
> ** Update hardcoded Jetty versions in test files
> ** Modify Jetty distribution downloads in assembly
> ** Update session testing configurations
> h3. *Technical Considerations*
> *Breaking Changes Expected:*
> * Package reorganization (jakarta.* vs javax.*)
> * API method signatures changes
> * Configuration class restructuring
> * SSL/TLS configuration updates
> *Benefits:*
> * {*}Security{*}: Addresses CVE-2025-5115 and other vulnerabilities
> * {*}Performance{*}: Improved HTTP/2 support and better resource utilization
> * {*}Support{*}: Long-term support and active development
> * {*}Standards Compliance{*}: Better adherence to Jakarta EE specifications
> * {*}Memory Efficiency{*}: Reduced memory footprint and improved garbage
> collection
> h3. *Acceptance Criteria*
> * All Jetty dependencies updated to version 12.x
> * InternalHttpService successfully starts with Jetty 12
> * SSL/TLS functionality works correctly with new SSL configuration
> * Geode Pulse web console loads and functions properly
> * REST API endpoints remain functional
> * Session management tests pass with updated Jetty
> * No regression in HTTP service performance
> * All existing unit and integration tests pass
> * CVE-2025-5115 and other vulnerabilities resolved
> * Documentation updated for any configuration changes
> h3. *Testing Requirements*
> # {*}Unit Tests{*}: All existing HTTP service tests must pass
> # {*}Integration Tests{*}: Web application deployment and servlet
> functionality
> # {*}Performance Testing{*}: Ensure no regression in HTTP service performance
> # {*}Compatibility Testing{*}: Test with all supported web applications
> (Pulse, REST APIs)
> h3. *Risk Assessment*
> * {*}High{*}: API breaking changes may require significant code refactoring
> * {*}Medium{*}: Potential compatibility issues with existing web applications
> * {*}Low{*}: Well-documented migration path from Jetty project
> h3. *Estimated Effort*
> * Development: 2-3 weeks
> * Testing: 1-2 weeks
> * Documentation: 1 week
> h3. *Dependencies*
> * Review Jakarta EE migration requirements
> * Coordinate with Spring Security upgrade (if needed for compatibility)
> * Validate with current Java 17 compatibility
> ----
> This comprehensive JIRA description covers all the essential aspects of the
> Jetty migration, including the security vulnerability (CVE-2025-5115),
> current usage analysis, and detailed migration requirements.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
