Metabase jetty vulnerability

Can anyone tell me which metabase version uses the fixed jetty version 9.2.25.v20180606 ?

Hi @vs1188
Which vulnerability are you specifically referring to?
Metabase has been using Jetty 9.4 since version 0.31.0
Metabase 0.33.0 is using 9.4.15.v20190215

1 Like

(CVE-2017-7658) : Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability (Windows) -> this is the vulnerability that I am referring to.

Please let me know how can we resolve this. The report which flagged this vulnerability suggested to use fixed jetty version 9.2.25.v20180606, so wanted to know which metabase version uses the fixed version of jetty server.

It was fixed in 9.4.11, and since Metabase uses 9.4.15, then it’s fixed in that too.

Hi flamber,

I got the server re-scanned and the report is still showing the eclipse jetty vulnerability even after upgrading to metabase v.0.33.

Please help.

What are scanning tool are you using? If OpenVAS, then it’s a bug in their software (ref).
Have you contacted the developers of the scanning tool and telling them it’s generating a false report?

1 Like

Hi Flamber,

Yes we are using OpenVAS as the scanning tool here. Also, I am attaching a part of the scanned report, have a look.

Can you also please confirm if the metabase v0.33 does not have the eclipse jetty vulnerability ?

I get the same when I use Greenbone (packaged OpenVMS, I believe) against my test server running on port 3000. When I test again my live server running https, I get no error.
Only thing in the report is that my certificate key is ‘only’ 1024 bits long.

Try using HTTPS instead of just port 3000 - you shouldn’t be passing stuff that’s not encrypted.

Look at the report. It says the vulnerability is fixed in Jetty 9.4.11 - Metabase currently uses Jetty 9.4.15.
That’s what I have linked to multiple times in the previous comments.
I would recommend that you use a reverse proxy or add a certificate, like Andrew recommends, and only run https.

Thanks Andrew & Flamber for your help. Much appreciated !!

Hi Andrew,

Can you please guide me through on how I can move metabase from http to https.

Depends upon how you’ve deployed it and the OS. You need to start with the docs. You’ll need an SSL certificate too.

1 Like

I simply run the jar file through command prompt and then completed the configuration part.

Hi Andrew,

I was able to successfully deploy and run the metabase v 0.31 but after 3-4 weeks of usage, it is now showing below error when a user is trying to login in using gmail creds.

“unable to find valid certification path to requested target”.

Please help.

Hi @flamber,

Can you please provide some insights here ?

@vs1188 Create a new topic - that has nothing to do with this topic. Also, latest release is 0.33.5 - 0.31.x is a year old.

1 Like