Hello If you're already in production, I'd think twice before upgrading to Pax Web 8 - it changes A LOT. You _may_ be dependent on some not-spec-compliant behavior of Pax Web 7 used in Karaf 4.3.
Also (though I'm not a security expert, so I can't take responsibility if you in any way use my advice ;), CVE-2023-36478 is about HTTP/2 protocol and Pax Web 7 doesn't even include support for this part of Jetty. After you did scanning of jetty version, please scan Karaf it HTTP/2 protocol is enabled in the first place. kind regards Grzegorz Grzybek pon., 4 mar 2024 o 06:23 Chandan Singh <mailbox.chandansi...@gmail.com> napisał(a): > Hi JB , > > Can you please share how to upgrade just PAxweb/Jetty in the 4.3.10 > version? We are already in prod and I cannot upgrade to a new Karaf version > . > > Regards > Chandan > > On Fri, Mar 1, 2024 at 12:41 PM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > >> Hi >> >> You can create your own custom Karaf distribution upgrading PaxWeb/Jetty. >> >> Or you can update to the latest Karaf version. >> >> Regards >> JB >> >> On Tue, Feb 27, 2024 at 12:57 PM Chandan Singh < >> mailbox.chandansi...@gmail.com> wrote: >> >>> Is there any way we can upgrade the jetty version in Karaf 4.3.10 to the >>> latest jetty version ? >>> >>> Regards >>> Chandan >>> >>> On Thu, Feb 22, 2024 at 7:12 PM Grzegorz Grzybek <gr.grzy...@gmail.com> >>> wrote: >>> >>>> Hello >>>> >>>> Karaf 4.3.x uses Pax Web 7.x and there exists pax-jetty-http2 feature. >>>> It comes with a warning: >>>> >>>> Please beware, for this feature to run properly you'll need to add the >>>> alpn-boot.jar to the >>>> lib/ext folder of Karaf in some cases of your JVM. >>>> >>>> So it's kind of not working by default. But it depends on how smart (or >>>> dumb, which is more often probably...) the scanner is. When you start fresh >>>> Karaf you don't even have HTTP server running at all. So it's kind of "safe >>>> by default". But you can install any bundle there - whether or not it comes >>>> from standard Karaf features. >>>> >>>> In other words - I don't have good answer... I just wanted to >>>> communicate that it's not an easy question ;) >>>> >>>> regards >>>> Grzegorz Grzybek >>>> >>>> czw., 22 lut 2024 o 13:47 Richard Hierlmeier < >>>> rhierlme...@googlemail.com> napisał(a): >>>> >>>>> We did already a security scan, it detected CVE-2023-36478 and >>>>> CVE-2023-44487 >>>>> >>>>> Both CVEs are related to HTTP2. I have thought that HTTP2 is not >>>>> possible in Karaf 4.3. >>>>> >>>>> Can someone confirm this assumption. >>>>> >>>>> Regards >>>>> >>>>> Richard >>>>> >>>>> >>>>> Am Do., 22. Feb. 2024 um 11:23 Uhr schrieb Chandan Singh < >>>>> mailbox.chandansi...@gmail.com>: >>>>> >>>>>> Hi All , >>>>>> >>>>>> During a recent Security Scan we found a vulnerability reported >>>>>> regarding the Jetty version in Apache Karaf 4.3.10 . Does anyone have >>>>>> any recommendations on the same ? >>>>>> >>>>>> [image: image.png] >>>>>> >>>>>> >>>>>> Regards >>>>>> Chandan >>>>>> >>>>>
