[Archivesspace_Users_Group] Jetty out of date - critical vulnerability

Christine Di Bella christine.dibella at lyrasis.org
Wed Oct 27 16:04:00 EDT 2021 

Hello everyone,

Our policy for reporting security issues is at archivesspace/SECURITY.md at master * archivesspace/archivesspace<https://github.com/archivesspace/archivesspace/blob/master/SECURITY.md> . Given the sensitivity, we maintain security issues in a non-public JIRA. When you encounter issues locally, please do reach out to us at ArchivesSpaceHome at lyrasis.org<mailto:ArchivesSpaceHome at lyrasis.org> first so that we can discuss it with you.

We're currently investigating this issue. ArchivesSpace has many dependencies built into it, which can make upgrading individual pieces more complex than it might otherwise be. The timing for upgrades is always dependent on matching our available resources with the community's highest priorities, while taking care of infrastructure items and dependencies with the highest urgency as quickly as possible. Jetty is used in a relatively limited way in ArchivesSpace, as it is not the primary web server for most people using the application, which has, in the past, made upgrading it less time sensitive than it might otherwise be. We will review all new information, however, to determine if circumstances have changed. We'll have an update on this soon.

Christine

Christine Di Bella
ArchivesSpace Program Manager
christine.dibella at lyrasis.org<mailto:christine.dibella at lyrasis.org>
800.999.8558 x2905
678-235-2905


[ASpaceOrgHomeMedium]





From: archivesspace_users_group-bounces at lyralists.lyrasis.org <archivesspace_users_group-bounces at lyralists.lyrasis.org> On Behalf Of Shalvi, Doron (NIH/NLM) [C]
Sent: Monday, October 25, 2021 11:14 AM
To: archivesspace_users_group at lyralists.lyrasis.org
Subject: [Archivesspace_Users_Group] Jetty out of date - critical vulnerability

Hello,

I wanted to pass on to the community some critical security vulnerabilities that we recently found when scanning our ArchivesSpace instance.  These vulnerabilities allows authorization to be bypassed, due to the out of date version of Jetty delivered with the system.  I've written up these issues as a JIRA ticket at: https://archivesspace.atlassian.net/browse/ANW-1437, but also wanted to post about the issue here to allow for discussion.

We are hoping to soon open our ArchivesSpace instance to the general public.  Our security team will not allow ArchivesSpace to be opened to the public while it has a critical security vulnerability.

We are running ArchivesSpace 2.8.1, which uses Jetty 8.1.5.  However, since all recent versions of ArchivesSpace use the same version of Jetty, I assume that all recent versions of ArchivesSpace are affected as well, including recent version 3.1.  Version 8 of Jetty is considered "venerable" (older even than deprecated), as noted at https://www.eclipse.org/jetty/download.php .  With this version of Jetty, NetSparker noted 2 critical issues, 3 high issues, 1 medium issue, and 1 low issue.

These issues were found by NetSparker, which is one of the security tools we use for scanning.  Interestingly, this issue was found by NetSparker only a few weeks ago, and not in our previous NetSparker scans, even though our ArchivesSpace instance has not changed.  This implies that the issue was just recently added to NetSparker's vulnerability database, may become more well-known, and could present an issue to other organizations using ArchivesSpace as well.

I understand that ArchivesSpace does not heavily use Jetty, and does not serve any static content using Jetty.  However, Jetty can still be exploited even if it is behind an intermediary, such as Apache, as described in the links in the ticket.  We have spent a little bit of time attempting to upgrade Jetty on our own.  We were able to upgrade to Jetty 9.4, but this version is still vulnerable to the issues noted above.  We weren't able to upgrade to Jetty 10 or 11, both of which require Java 11 - it looks like this may take some work.

Has anyone else observed these issue?  Would anyone have suggestions for remediation?

I think that the best approach would be to upgrade Jetty to version 10 or 11, in line with a move to Java 11.

Thanks for your thoughts and consideration!

Doron Shalvi
System Engineer
National Library of Medicine

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20211027/a7fcdc87/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 13904 bytes
Desc: image001.jpg
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20211027/a7fcdc87/attachment.jpg>

More information about the Archivesspace_Users_Group mailing list