• Share this article:

Eclipse Jetty Security Audit Has Been Completed

Wednesday, October 18, 2023 - 11:00 by Mikaël Barbero

We’re proud to share that the Eclipse Foundation has completed the security audit for Eclipse Jetty, one of the world’s most widely deployed web server and servlet containers. All users are encouraged to upgrade to versions containing changes addressing all conclusions of the audit: Eclipse Jetty 12.0.0, 11.0.16, 10.0.16, and 9.4.53.

Web/application servers and client libraries like ones included in Jetty need to support multiple protocols, such as HTTP/1, HTTP/2, HTTP/3, and various Jakarta EE standards. They handle data that could potentially come from malicious sources. Achieving this in a proper and secure manner can be quite challenging, and even experienced developers may inadvertently make errors.

Additionally, such Jetty servers and clients are integrated with custom application code that handles data. The complete solutions are complex, and improving the security of each building block is crucial. This made Eclipse Jetty a good candidate for a security audit.

The audit provided a set of general recommendations on the direction of Jetty’s architecture, and revealed some issues in the code base that were unknown to the development team. It has also led to two CVEs: CVE-2023-36479 and CVE-2023-36478, along with a list of bug fixes for the initial release of Jetty 12.0.0.

>>Full Report
Full Report

Audits like these improve the security of the whole web services ecosystem for Java applications, both in the short term through fixes, and in the long term by showing potential risks and possible development directions.

While Jetty has been hosted at the Eclipse Foundation since 2009, the project’s origins go back to 1995. Jetty is used extensively by millions of developers and in production environments around the world. Its small footprint, high performance, and scalability have made the server an appealing choice among enterprise application developers using a variety of Java, Scala, Kotlin, and other JVM-based languages. Jetty can be found in products and projects such as Apache Hadoop, Apache Maven, Google App Engine, Dropwizard, Spring Boot, the Javalin project, Zimbra, and the Eclipse IDE.

This was our third open source project security audit, and was completed by Trail of Bits. Like our previous two audits, this initiative was done in collaboration with the Open Source Technology Improvement Fund (OSTIF) and was made possible thanks to the funding the Eclipse Foundation received from the Alpha-Omega Project.

Get Involved

  • Download Eclipse Jetty, and learn how you can contribute to the project.
  • Learn more about the Eclipse Cyber Risk Initiative, and how your organization can join the effort to strengthen the open source supply chain. Please subscribe to the ECRI mailing list to join the initiative, or to follow its progress.