Skip to content

CVE-2024-6763 – Jetty HTTP Vulnerability #703

@rkumarpa

Description

@rkumarpa

If you are using OCI Java SDK, and you see this CVE (CVE-2024-6763) flagged in your security scan, it may be due to a transitive dependency on org.eclipse.jetty:jetty-http. In such cases, you will need to manually override and update the affected Jetty version, since the SDK cannot directly update the Jetty dependency version because of below mentioned limitations.


Description

This vulnerability affects Jetty’s jetty-http module. The vulnerability primarily affects applications that use the HttpURI class directly for URI validation or security checks. Jetty’s internal usage of this class is not directly vulnerable.

OCI Java SDK Usage

The SDK does not directly depend on the jetty-http module. The package is pulled transitively via org.eclipse.jetty.websocket:websocket-server → jetty-server → jetty-http. The SDK currently uses Jetty version 9.4.57.v20241219, which includes the official fix for this vulnerability. Despite this, security scanners and repositories like Maven Central may continue to flag the dependency as vulnerable because Jetty 9.4.x is now EOL (end of life), and security scanners often treat all EOL versions as risky regardless of patches.

Why SDK Cannot Upgrade to Jetty 10+

Upgrading to the latest Jetty version (12.0.12 or later) would resolve the vulnerability, but Jetty 12+ requires JDK 17 or newer. Since the SDK must remain compatible with JDK 8, upgrading to Jetty 12 is not feasible at this time.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    SDKIssue pertains to the SDK itself and not specific to any service

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions