[Archivesspace_Users_Group] Jetty out of date - critical vulnerability

Shalvi, Doron (NIH/NLM) [C] doron.shalvi at nih.gov
Mon Oct 25 11:14:04 EDT 2021 

Hello,

I wanted to pass on to the community some critical security vulnerabilities that we recently found when scanning our ArchivesSpace instance.  These vulnerabilities allows authorization to be bypassed, due to the out of date version of Jetty delivered with the system.  I've written up these issues as a JIRA ticket at: https://archivesspace.atlassian.net/browse/ANW-1437, but also wanted to post about the issue here to allow for discussion.

We are hoping to soon open our ArchivesSpace instance to the general public.  Our security team will not allow ArchivesSpace to be opened to the public while it has a critical security vulnerability.

We are running ArchivesSpace 2.8.1, which uses Jetty 8.1.5.  However, since all recent versions of ArchivesSpace use the same version of Jetty, I assume that all recent versions of ArchivesSpace are affected as well, including recent version 3.1.  Version 8 of Jetty is considered "venerable" (older even than deprecated), as noted at https://www.eclipse.org/jetty/download.php .  With this version of Jetty, NetSparker noted 2 critical issues, 3 high issues, 1 medium issue, and 1 low issue.

These issues were found by NetSparker, which is one of the security tools we use for scanning.  Interestingly, this issue was found by NetSparker only a few weeks ago, and not in our previous NetSparker scans, even though our ArchivesSpace instance has not changed.  This implies that the issue was just recently added to NetSparker's vulnerability database, may become more well-known, and could present an issue to other organizations using ArchivesSpace as well.

I understand that ArchivesSpace does not heavily use Jetty, and does not serve any static content using Jetty.  However, Jetty can still be exploited even if it is behind an intermediary, such as Apache, as described in the links in the ticket.  We have spent a little bit of time attempting to upgrade Jetty on our own.  We were able to upgrade to Jetty 9.4, but this version is still vulnerable to the issues noted above.  We weren't able to upgrade to Jetty 10 or 11, both of which require Java 11 - it looks like this may take some work.

Has anyone else observed these issue?  Would anyone have suggestions for remediation?

I think that the best approach would be to upgrade Jetty to version 10 or 11, in line with a move to Java 11.

Thanks for your thoughts and consideration!

Doron Shalvi
System Engineer
National Library of Medicine

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20211025/a553f538/attachment.html>

More information about the Archivesspace_Users_Group mailing list