[
https://issues.apache.org/jira/browse/TIKA-4757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Srinivasarao Daruna updated TIKA-4757:
--------------------------------------
Description:
CVE-2026-2332 (CVSS 9.1 Critical, CWE-444 — Inconsistent Interpretation of HTTP
Requests)
describes an HTTP/1.1 request smuggling vulnerability in Jetty caused by
improper
chunk-extension parsing. Affected versions: Jetty 11.0.0 through 11.0.26 (all
releases).
Jetty 11.x is now EOL and received no backport fix. The remediation is
available only in the
Jetty 12 line (>=12.0.33). Jetty 12.0.x requires Java 17, which is already the
minimum JVM
version for this project — no Java upgrade is needed.
The following changes are required:
1. tika-parent/pom.xml
- jetty.version: 11.0.26 -> 12.0.35
- Rename http2 artifacts: http2-* -> jetty-http2-* (Jetty 12 artifact rename)
- cxf.version: 4.0.11 -> 4.1.7 (CXF 4.1.x targets Jetty 12; was blocked on
4.0.x)
- solrj.version: 9.10.1 -> 10.0.0 (SolrJ 9 embeds Jetty 11 HTTP client APIs,
incompatible with Jetty 12)
2. tika-server/tika-server-core/pom.xml
- Rename http2-server -> jetty-http2-server
- Add jakarta.servlet-api 6.0.0 (Jetty 12 dropped the bundled EE9 servlet
JAR)
3. tika-pipes-solr plugin (SolrEmitter.java, SolrPipesIterator.java)
- Http2SolrClient -> HttpJettySolrClient (SolrJ 10 rename, in
solr-solrj-jetty module)
- LBHttpSolrClient -> LBJettySolrClient
- Add solr-solrj-jetty dependency to tika-pipes-solr and
tika-pipes-solr-integration-tests
4. tika-grpc PipesBiDirectionalStreamingIntegrationTest.java
- PathResource (removed in Jetty 12) ->
ResourceHandler.setBaseResourceAsString()
Note: LBJettySolrClient (SolrJ 10) no longer accepts an Apache HttpClient
instance via
withHttpClient(). Proxy and auth configuration previously set via
HttpClientFactory will need
to be reworked using Jetty's native HTTP client in a follow-up issue.
was:
CVE-2026-2332 (CVSS 9.1 Critical) is an HTTP/1.1 request smuggling
vulnerability in Jetty's HTTP/1.1 chunk-extension parser. The parser
terminates chunk-extension parsing at \r\n inside quoted strings
instead of treating this as an error, allowing unauthenticated remote
attackers to smuggle HTTP requests and compromise confidentiality and
integrity (CWE-444).
Affected versions: Jetty 11.0.0–11.0.27
Apache Tika currently uses: 11.0.26 (vulnerable)
Fixed in: 11.0.28 (and 12.0.33 / 12.1.7 in newer lines)
Jetty 11.x is EOL (Nov 2024). The immediate fix is to upgrade
jetty.version to 11.0.28. Long-term, migration to Jetty 12.1.x
is required, which depends on:
1. Java version upgrade
2. Resolving Http2SolrClient (SolrJ 9.10.0) compatibility with
the Jetty 12 API (InputStreamResponseListener moved from
org.eclipse.jetty.client.util to org.eclipse.jetty.client)
> Upgrade Jetty from 11.0.26 to 12.0.35 to fix CVE-2026-2332 (HTTP request
> smuggling, CVSS 9.1)
> ---------------------------------------------------------------------------------------------
>
> Key: TIKA-4757
> URL: https://issues.apache.org/jira/browse/TIKA-4757
> Project: Tika
> Issue Type: Bug
> Reporter: Srinivasarao Daruna
> Priority: Major
>
> CVE-2026-2332 (CVSS 9.1 Critical, CWE-444 — Inconsistent Interpretation of
> HTTP Requests)
> describes an HTTP/1.1 request smuggling vulnerability in Jetty caused by
> improper
> chunk-extension parsing. Affected versions: Jetty 11.0.0 through 11.0.26 (all
> releases).
> Jetty 11.x is now EOL and received no backport fix. The remediation is
> available only in the
> Jetty 12 line (>=12.0.33). Jetty 12.0.x requires Java 17, which is already
> the minimum JVM
> version for this project — no Java upgrade is needed.
> The following changes are required:
> 1. tika-parent/pom.xml
> - jetty.version: 11.0.26 -> 12.0.35
> - Rename http2 artifacts: http2-* -> jetty-http2-* (Jetty 12 artifact
> rename)
> - cxf.version: 4.0.11 -> 4.1.7 (CXF 4.1.x targets Jetty 12; was blocked on
> 4.0.x)
> - solrj.version: 9.10.1 -> 10.0.0 (SolrJ 9 embeds Jetty 11 HTTP client
> APIs,
> incompatible with Jetty 12)
> 2. tika-server/tika-server-core/pom.xml
> - Rename http2-server -> jetty-http2-server
> - Add jakarta.servlet-api 6.0.0 (Jetty 12 dropped the bundled EE9 servlet
> JAR)
> 3. tika-pipes-solr plugin (SolrEmitter.java, SolrPipesIterator.java)
> - Http2SolrClient -> HttpJettySolrClient (SolrJ 10 rename, in
> solr-solrj-jetty module)
> - LBHttpSolrClient -> LBJettySolrClient
> - Add solr-solrj-jetty dependency to tika-pipes-solr and
> tika-pipes-solr-integration-tests
> 4. tika-grpc PipesBiDirectionalStreamingIntegrationTest.java
> - PathResource (removed in Jetty 12) ->
> ResourceHandler.setBaseResourceAsString()
> Note: LBJettySolrClient (SolrJ 10) no longer accepts an Apache HttpClient
> instance via
> withHttpClient(). Proxy and auth configuration previously set via
> HttpClientFactory will need
> to be reworked using Jetty's native HTTP client in a follow-up issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
