grgrzybek commented on issue #2691:
URL: https://github.com/apache/karaf/issues/2691#issuecomment-4620964608
Hello
Thanks for inspiration to read more about request smuggling at:
- https://github.com/advisories/GHSA-355h-qmc2-wpwf
- https://w4ke.info/2025/06/18/funky-chunks.html
The latter mentions that Jetty is vulnerable when sitting behind "Imperva
CDN" proxy. I'm not saying every Karaf with Jetty is vulnerable and I'm not
a security expert, but I wouldn't say this is a critical vulnerability.
First - as far as I understand it requires reverse proxy setup.
And the attack (again - if I understand correctly) assumes that it's
proxy's responsibility to reject proverbial unauthenticated "/admin"
requests, while keeping the backed server accepting all requests.
Normally you have full protection at the server side.
However I don't fully understand how the proxy may interleave smuggled
requests and responses for other requests.
But long story short - Jetty 9 is no longer maintained upstream and if you
fear about request smuggling, just switch from pax-web-jetty feature to
pax-web-tomcat feature.
With Pax Web 8 I put a lot of energy and time to ensure interoperability at
OSGi CMPN specification level.
kind regards
Grzegorz Grzybek
śr., 3 cze 2026 o 16:19 Andre Schlegel-Tylla ***@***.***>
napisał(a):
> *AndreVirtimo* left a comment (apache/karaf#2691)
> <https://github.com/apache/karaf/issues/2691#issuecomment-4613301115>
>
> Jetty 9.4 has reached its End of Life (EOL). A pax-web update with Jetty
> 12 support is planned for Karaf 4.5.x. A release vote is scheduled for the
> end of June.
>
> —
> Reply to this email directly, view it on GitHub
>
<https://github.com/apache/karaf/issues/2691?email_source=notifications&email_token=AACK3BPJVG6WDFALVNKXHUT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4613301115>,
> or unsubscribe
>
<https://github.com/notifications/unsubscribe-auth/AACK3BJDT4VMXA34G44QORT46AXVZAVCNFSM6AAAAACZWXKYHSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DMMJTGMYDCMJRGU>
> .
> Triage notifications, keep track of coding agent tasks and review pull
> requests on the go with GitHub Mobile for iOS
>
<https://github.com/notifications/mobile/ios/AACK3BM2ISK4OZPACIMYCTT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSVGM33PORSXEX3JN5ZQ>
> and Android
>
<https://github.com/notifications/mobile/android/AACK3BKQQRLA23MDH2GCIVT46AXVZA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRRGMZTAMJRGE22M4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSXGM33PORSXEX3BNZSHE33JMQ>.
> Download it today!
> You are receiving this because you are subscribed to this thread.Message
> ID: ***@***.***>
>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
