Metabase jetty vulnerability

Can anyone tell me which metabase version uses the fixed jetty version 9.2.25.v20180606 ?

Hi @vs1188
Which vulnerability are you specifically referring to?
Metabase has been using Jetty 9.4 since version 0.31.0
Metabase 0.33.0 is using 9.4.15.v20190215
Reference: https://github.com/metabase/metabase/blob/v0.33.0/project.clj#L122

1 Like

(CVE-2017-7658) : Eclipse Jetty Server Fake Pipeline Request Security Bypass Vulnerability (Windows) -> this is the vulnerability that I am referring to.

Please let me know how can we resolve this. The report which flagged this vulnerability suggested to use fixed jetty version 9.2.25.v20180606, so wanted to know which metabase version uses the fixed version of jetty server.

@vs1188
It was fixed in 9.4.11, and since Metabase uses 9.4.15, then it’s fixed in that too.
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669

Hi flamber,

I got the server re-scanned and the report is still showing the eclipse jetty vulnerability even after upgrading to metabase v.0.33.

Please help.

@vs1188
What are scanning tool are you using? If OpenVAS, then it’s a bug in their software (ref).
Have you contacted the developers of the scanning tool and telling them it’s generating a false report?

Hi Flamber,

Yes we are using OpenVAS as the scanning tool here. Also, I am attaching a part of the scanned report, have a look.

Can you also please confirm if the metabase v0.33 does not have the eclipse jetty vulnerability ?

I get the same when I use Greenbone (packaged OpenVMS, I believe) against my test server running on port 3000. When I test again my live server running https, I get no error.
Only thing in the report is that my certificate key is ‘only’ 1024 bits long.

Try using HTTPS instead of just port 3000 - you shouldn’t be passing stuff that’s not encrypted.

@vs1188
Look at the report. It says the vulnerability is fixed in Jetty 9.4.11 - Metabase currently uses Jetty 9.4.15.
That’s what I have linked to multiple times in the previous comments.
I would recommend that you use a reverse proxy or add a certificate, like Andrew recommends, and only run https.

Thanks Andrew & Flamber for your help. Much appreciated !!