Hello

If you're already in production, I'd think twice before upgrading to Pax
Web 8 - it changes A LOT. You _may_ be dependent on some not-spec-compliant
behavior of Pax Web 7 used in Karaf 4.3.

Also (though I'm not a security expert, so I can't take responsibility if
you in any way use my advice ;), CVE-2023-36478 is about HTTP/2 protocol
and Pax Web 7 doesn't even include support for this part of Jetty. After
you did scanning of jetty version, please scan Karaf it HTTP/2 protocol is
enabled in the first place.

kind regards
Grzegorz Grzybek

pon., 4 mar 2024 o 06:23 Chandan Singh <mailbox.chandansi...@gmail.com>
napisał(a):

> Hi JB ,
>
> Can you please share how to upgrade just  PAxweb/Jetty in the 4.3.10
> version? We are already in prod and I cannot upgrade to a new Karaf version
> .
>
> Regards
> Chandan
>
> On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré <j...@nanthrax.net>
> wrote:
>
>> Hi
>>
>> You can create your own custom Karaf distribution upgrading PaxWeb/Jetty.
>>
>> Or you can update to the latest Karaf version.
>>
>> Regards
>> JB
>>
>> On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh <
>> mailbox.chandansi...@gmail.com> wrote:
>>
>>> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the
>>> latest jetty version ?
>>>
>>> Regards
>>> Chandan
>>>
>>> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com>
>>> wrote:
>>>
>>>> Hello
>>>>
>>>> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature.
>>>> It comes with a warning:
>>>>
>>>> Please beware, for this feature to run properly you'll need to add the
>>>> alpn-boot.jar to the
>>>> lib/ext folder of Karaf in some cases of your JVM.
>>>>
>>>> So it's kind of not working by default. But it depends on how smart (or
>>>> dumb, which is more often probably...) the scanner is. When you start fresh
>>>> Karaf you don't even have HTTP server running at all. So it's kind of "safe
>>>> by default". But you can install any bundle there - whether or not it comes
>>>> from standard Karaf features.
>>>>
>>>> In other words - I don't have good answer... I just wanted to
>>>> communicate that it's not an easy question ;)
>>>>
>>>> regards
>>>> Grzegorz Grzybek
>>>>
>>>> czw., 22 lut 2024 o 13:47 Richard Hierlmeier <
>>>> rhierlme...@googlemail.com> napisał(a):
>>>>
>>>>> We did already a security scan, it detected  CVE-2023-36478 and
>>>>> CVE-2023-44487
>>>>>
>>>>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not
>>>>> possible in Karaf 4.3.
>>>>>
>>>>> Can someone confirm this assumption.
>>>>>
>>>>> Regards
>>>>>
>>>>>     Richard
>>>>>
>>>>>
>>>>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh <
>>>>> mailbox.chandansi...@gmail.com>:
>>>>>
>>>>>> Hi All ,
>>>>>>
>>>>>> During a recent Security Scan  we found a vulnerability  reported
>>>>>> regarding the Jetty  version in  Apache Karaf 4.3.10 .  Does anyone have
>>>>>> any recommendations on the same ?
>>>>>>
>>>>>> [image: image.png]
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Chandan
>>>>>>
>>>>>

Reply via email to