Hello Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. It comes with a warning:
Please beware, for this feature to run properly you'll need to add the alpn-boot.jar to the lib/ext folder of Karaf in some cases of your JVM. So it's kind of not working by default. But it depends on how smart (or dumb, which is more often probably...) the scanner is. When you start fresh Karaf you don't even have HTTP server running at all. So it's kind of "safe by default". But you can install any bundle there - whether or not it comes from standard Karaf features. In other words - I don't have good answer... I just wanted to communicate that it's not an easy question ;) regards Grzegorz Grzybek czw., 22 lut 2024 o 13:47 Richard Hierlmeier <rhierlme...@googlemail.com> napisał(a): > We did already a security scan, it detected CVE-2023-36478 and > CVE-2023-44487 > > Both CVEs are related to HTTP2. I have thought that HTTP2 is not possible > in Karaf 4.3. > > Can someone confirm this assumption. > > Regards > > Richard > > > Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < > mailbox.chandansi...@gmail.com>: > >> Hi All , >> >> During a recent Security Scan we found a vulnerability reported >> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >> any recommendations on the same ? >> >> [image: image.png] >> >> >> Regards >> Chandan >> >