Metabase jetty vulnerability

vs1188 · September 2, 2019, 1:22pm

Can anyone tell me which metabase version uses the fixed jetty version 9.2.25.v20180606 ?

flamber · September 2, 2019, 5:51pm

Hi @vs1188
Which vulnerability are you specifically referring to?
Metabase has been using Jetty 9.4 since version 0.31.0
Metabase 0.33.0 is using 9.4.15.v20190215
Reference: https://github.com/metabase/metabase/blob/v0.33.0/project.clj#L122

vs1188 · September 3, 2019, 1:34pm

(CVE-2017-7658) : Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability (Windows) -> this is the vulnerability that I am referring to.

Please let me know how can we resolve this. The report which flagged this vulnerability suggested to use fixed jetty version 9.2.25.v20180606, so wanted to know which metabase version uses the fixed version of jetty server.

flamber · September 3, 2019, 3:14pm

@vs1188
It was fixed in 9.4.11, and since Metabase uses 9.4.15, then it’s fixed in that too.
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669

vs1188 · September 11, 2019, 3:46pm

Hi flamber,

I got the server re-scanned and the report is still showing the eclipse jetty vulnerability even after upgrading to metabase v.0.33.

Please help.

flamber · September 11, 2019, 4:32pm

@vs1188
What are scanning tool are you using? If OpenVAS, then it’s a bug in their software (ref).
Have you contacted the developers of the scanning tool and telling them it’s generating a false report?

vs1188 · September 12, 2019, 12:58pm

Hi Flamber,

Yes we are using OpenVAS as the scanning tool here. Also, I am attaching a part of the scanned report, have a look.

Can you also please confirm if the metabase v0.33 does not have the eclipse jetty vulnerability ?

AndrewMBaines · September 12, 2019, 3:26pm

I get the same when I use Greenbone (packaged OpenVMS, I believe) against my test server running on port 3000. When I test again my live server running https, I get no error.
Only thing in the report is that my certificate key is ‘only’ 1024 bits long.

Try using HTTPS instead of just port 3000 - you shouldn’t be passing stuff that’s not encrypted.

flamber · September 12, 2019, 6:30pm

@vs1188
Look at the report. It says the vulnerability is fixed in Jetty 9.4.11 - Metabase currently uses Jetty 9.4.15.
That’s what I have linked to multiple times in the previous comments.
I would recommend that you use a reverse proxy or add a certificate, like Andrew recommends, and only run https.

vs1188 · September 13, 2019, 7:48am

Thanks Andrew & Flamber for your help. Much appreciated !!

vs1188 · September 23, 2019, 12:31pm

Hi Andrew,

Can you please guide me through on how I can move metabase from http to https.

AndrewMBaines · September 23, 2019, 12:45pm

Depends upon how you’ve deployed it and the OS. You need to start with the docs. You’ll need an SSL certificate too.

vs1188 · September 23, 2019, 12:49pm

I simply run the jar file through command prompt and then completed the configuration part.

vs1188 · November 13, 2019, 9:02am

Hi Andrew,

I was able to successfully deploy and run the metabase v 0.31 but after 3-4 weeks of usage, it is now showing below error when a user is trying to login in using gmail creds.

“unable to find valid certification path to requested target”.

Please help.

vs1188 · November 13, 2019, 3:12pm

Hi @flamber,

Can you please provide some insights here ?

flamber · November 13, 2019, 4:25pm

@vs1188 Create a new topic - that has nothing to do with this topic. Also, latest release is 0.33.5 - 0.31.x is a year old.