[fix][sec][branch-4.0] Upgrade to Jetty 12.1.8 to address several CVEs (#25534)

Author: lhotari

conf/bookkeeper.conf

@@ -595,7 +595,7 @@ compactionRateByBytes=1000000
 # enableStatistics=true
 
 # Stats Provider Class (if statistics are enabled)
-statsProviderClass=org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider
+statsProviderClass=org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider
 
 # Default port for Prometheus metrics exporter
 prometheusStatsHttpPort=8000

conf/zookeeper.conf

@@ -76,6 +76,6 @@ portUnification=false
 ## Metrics Providers
 #
 # https://prometheus.io Metrics Exporter
-metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
+metricsProvider.className=org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider
 metricsProvider.httpPort=8000
-metricsProvider.exportJvmInfo=true
+metricsProvider.exportJvmInfo=true

distribution/server/pom.xml

@@ -82,29 +82,21 @@
     </dependency>
 
     <dependency>
-      <groupId>jline</groupId>
-      <artifactId>jline</artifactId>
-      <version>${jline.version}</version>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>pulsar-bookkeeper-prometheus-metrics-provider</artifactId>
+      <version>${project.version}</version>
     </dependency>
 
     <dependency>
-      <groupId>org.apache.zookeeper</groupId>
-      <artifactId>zookeeper-prometheus-metrics</artifactId>
-      <version>${zookeeper.version}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-classic</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>io.netty</groupId>
-          <artifactId>netty-tcnative</artifactId>
-        </exclusion>
-      </exclusions>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>pulsar-zookeeper-prometheus-metrics</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>jline</groupId>
+      <artifactId>jline</artifactId>
+      <version>${jline.version}</version>
     </dependency>
 
     <dependency>
@@ -141,6 +133,12 @@
       <groupId>${project.groupId}</groupId>
       <artifactId>pulsar-testclient</artifactId>
       <version>${project.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.apache.zookeeper</groupId>
+          <artifactId>zookeeper</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -199,11 +197,6 @@
       <artifactId>log4j-slf4j2-impl</artifactId>
     </dependency>
 
-    <dependency>
-      <groupId>org.apache.bookkeeper.stats</groupId>
-      <artifactId>prometheus-metrics-provider</artifactId>
-    </dependency>
-
     <dependency>
       <groupId>io.prometheus</groupId>
       <artifactId>simpleclient_log4j2</artifactId>

distribution/server/src/assemble/LICENSE.bin.txt

@@ -330,7 +330,6 @@ The Apache Software License, Version 2.0
     - io.prometheus-simpleclient_common-0.16.0.jar
     - io.prometheus-simpleclient_hotspot-0.16.0.jar
     - io.prometheus-simpleclient_httpserver-0.16.0.jar
-    - io.prometheus-simpleclient_jetty-0.16.0.jar
     - io.prometheus-simpleclient_log4j2-0.16.0.jar
     - io.prometheus-simpleclient_servlet-0.16.0.jar
     - io.prometheus-simpleclient_servlet_common-0.16.0.jar
@@ -354,8 +353,8 @@ The Apache Software License, Version 2.0
     - org.apache.logging.log4j-log4j-web-2.25.4.jar
     - org.apache.logging.log4j-log4j-layout-template-json-2.25.4.jar
  * Java Native Access JNA
-    - net.java.dev.jna-jna-jpms-5.12.1.jar
-    - net.java.dev.jna-jna-platform-jpms-5.12.1.jar
+    - net.java.dev.jna-jna-jpms-5.18.1.jar
+    - net.java.dev.jna-jna-platform-jpms-5.18.1.jar
  * BookKeeper
     - org.apache.bookkeeper-bookkeeper-common-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-common-allocator-4.17.3.jar
@@ -376,12 +375,10 @@ The Apache Software License, Version 2.0
     - org.apache.bookkeeper.http-http-server-4.17.3.jar
     - org.apache.bookkeeper.http-vertx-http-server-4.17.3.jar
     - org.apache.bookkeeper.stats-bookkeeper-stats-api-4.17.3.jar
-    - org.apache.bookkeeper.stats-prometheus-metrics-provider-4.17.3.jar
     - org.apache.distributedlog-distributedlog-common-4.17.3.jar
     - org.apache.distributedlog-distributedlog-core-4.17.3-tests.jar
     - org.apache.distributedlog-distributedlog-core-4.17.3.jar
     - org.apache.distributedlog-distributedlog-protocol-4.17.3.jar
-    - org.apache.bookkeeper.stats-codahale-metrics-provider-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-slogger-api-4.17.3.jar
     - org.apache.bookkeeper-bookkeeper-slogger-slf4j-4.17.3.jar
     - org.apache.bookkeeper-native-io-4.17.3.jar
@@ -395,25 +392,43 @@ The Apache Software License, Version 2.0
     - org.asynchttpclient-async-http-client-2.14.5.jar
     - org.asynchttpclient-async-http-client-netty-utils-2.14.5.jar
  * Jetty
-    - org.eclipse.jetty-jetty-client-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-continuation-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-http-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-io-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-proxy-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-security-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-server-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-servlet-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-servlets-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-util-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-util-ajax-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-websocket-api-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-websocket-client-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-websocket-common-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-websocket-server-9.4.58.v20250814.jar
-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.58.v20250814.jar
-    - org.eclipse.jetty-jetty-alpn-server-9.4.58.v20250814.jar
+    - org.eclipse.jetty-jetty-alpn-client-12.1.8.jar
+    - org.eclipse.jetty-jetty-alpn-conscrypt-server-12.1.8.jar
+    - org.eclipse.jetty-jetty-alpn-server-12.1.8.jar
+    - org.eclipse.jetty-jetty-annotations-12.1.8.jar
+    - org.eclipse.jetty-jetty-client-12.1.8.jar
+    - org.eclipse.jetty-jetty-http-12.1.8.jar
+    - org.eclipse.jetty-jetty-io-12.1.8.jar
+    - org.eclipse.jetty-jetty-jndi-12.1.8.jar
+    - org.eclipse.jetty-jetty-plus-12.1.8.jar
+    - org.eclipse.jetty-jetty-security-12.1.8.jar
+    - org.eclipse.jetty-jetty-server-12.1.8.jar
+    - org.eclipse.jetty-jetty-session-12.1.8.jar
+    - org.eclipse.jetty-jetty-util-12.1.8.jar
+    - org.eclipse.jetty-jetty-xml-12.1.8.jar
+    - org.eclipse.jetty.compression-jetty-compression-common-12.1.8.jar
+    - org.eclipse.jetty.compression-jetty-compression-gzip-12.1.8.jar
+    - org.eclipse.jetty.compression-jetty-compression-server-12.1.8.jar
+    - org.eclipse.jetty.ee-jetty-ee-webapp-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-annotations-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-nested-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-plus-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-proxy-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-security-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-servlet-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-servlets-12.1.8.jar
+    - org.eclipse.jetty.ee8-jetty-ee8-webapp-12.1.8.jar
+    - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-api-12.1.8.jar
+    - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-common-12.1.8.jar
+    - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-jetty-server-12.1.8.jar
+    - org.eclipse.jetty.ee8.websocket-jetty-ee8-websocket-servlet-12.1.8.jar
+    - org.eclipse.jetty.toolchain-jetty-servlet-api-4.0.9.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-core-client-12.1.8.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-core-common-12.1.8.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-core-server-12.1.8.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-jetty-api-12.1.8.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-jetty-client-12.1.8.jar
+    - org.eclipse.jetty.websocket-jetty-websocket-jetty-common-12.1.8.jar
  * SnakeYaml -- org.yaml-snakeyaml-2.0.jar
  * RocksDB - org.rocksdb-rocksdbjni-7.9.2.jar
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.45.0.jar
@@ -480,7 +495,6 @@ The Apache Software License, Version 2.0
     - io.dropwizard.metrics-metrics-core-4.1.12.1.jar
     - io.dropwizard.metrics-metrics-graphite-4.1.12.1.jar
     - io.dropwizard.metrics-metrics-jvm-4.1.12.1.jar
-    - io.dropwizard.metrics-metrics-jmx-4.1.12.1.jar
   * Prometheus
     - io.prometheus-simpleclient_httpserver-0.16.0.jar
   * Oxia
@@ -501,9 +515,7 @@ The Apache Software License, Version 2.0
     - io.vertx-vertx-web-4.5.24.jar
     - io.vertx-vertx-web-common-4.5.24.jar
   * Apache ZooKeeper
-    - org.apache.zookeeper-zookeeper-3.9.5.jar
     - org.apache.zookeeper-zookeeper-jute-3.9.5.jar
-    - org.apache.zookeeper-zookeeper-prometheus-metrics-3.9.5.jar
   * Snappy Java
     - org.xerial.snappy-snappy-java-1.1.10.8.jar
   * Google HTTP Client
@@ -556,6 +568,10 @@ BSD 3-clause "New" or "Revised" License
  * JSR305 -- com.google.code.findbugs-jsr305-3.0.2.jar -- ../licenses/LICENSE-JSR305.txt
  * JLine -- jline-jline-2.14.6.jar -- ../licenses/LICENSE-JLine.txt
  * JLine3 -- org.jline-jline-3.21.0.jar -- ../licenses/LICENSE-JLine.txt
+ * OW2 ASM
+   - org.ow2.asm-asm-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
+   - org.ow2.asm-asm-commons-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
+   - org.ow2.asm-asm-tree-9.9.1.jar -- ../licenses/LICENSE-ASM.txt
 
 BSD 2-Clause License
  * HdrHistogram -- org.hdrhistogram-HdrHistogram-2.1.9.jar -- ../licenses/LICENSE-HdrHistogram.txt
@@ -581,7 +597,6 @@ CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
  * Java Annotations API
     - com.sun.activation-jakarta.activation-1.2.2.jar
  * Java Servlet API -- javax.servlet-javax.servlet-api-3.1.0.jar
- * WebSocket Server API -- javax.websocket-javax.websocket-client-api-1.0.jar
  * HK2 - Dependency Injection Kernel
     - org.glassfish.hk2-hk2-api-2.6.1.jar
     - org.glassfish.hk2-hk2-locator-2.6.1.jar
@@ -609,6 +624,7 @@ Eclipse Public License - v2.0 -- ../licenses/LICENSE-EPL-2.0.txt
  * Jakarta Annotations API -- jakarta.annotation-jakarta.annotation-api-1.3.5.jar
  * Jakarta RESTful Web Services -- jakarta.ws.rs-jakarta.ws.rs-api-2.1.6.jar
  * Jakarta Injection -- org.glassfish.hk2.external-jakarta.inject-2.6.1.jar
+ * Jakarta Transactions API -- jakarta.transaction-jakarta.transaction-api-1.3.3.jar
 
 Public Domain (CC0) -- ../licenses/LICENSE-CC0.txt
  * Reactive Streams -- org.reactivestreams-reactive-streams-1.0.4.jar

distribution/server/src/assemble/bin.xml

@@ -128,6 +128,8 @@
         <exclude>com.google.android:annotations</exclude>
         <!-- Needed only in the pulsar-shell distro only -->
         <exclude>net.java.dev.jna:jna</exclude>
+        <!-- Exclude org.apache.zookeeper:zookeeper since the patched version is included in the distribution -->
+        <exclude>org.apache.zookeeper:zookeeper</exclude>
       </excludes>
     </dependencySet>
   </dependencySets>

distribution/shell/src/assemble/LICENSE.bin.txt

@@ -401,14 +401,18 @@ The Apache Software License, Version 2.0
     - async-http-client-2.14.5.jar
     - async-http-client-netty-utils-2.14.5.jar
  * Jetty
-    - jetty-client-9.4.58.v20250814.jar
-    - jetty-http-9.4.58.v20250814.jar
-    - jetty-io-9.4.58.v20250814.jar
-    - jetty-util-9.4.58.v20250814.jar
-    - javax-websocket-client-impl-9.4.58.v20250814.jar
-    - websocket-api-9.4.58.v20250814.jar
-    - websocket-client-9.4.58.v20250814.jar
-    - websocket-common-9.4.58.v20250814.jar
+    - jetty-alpn-client-12.1.8.jar
+    - jetty-client-12.1.8.jar
+    - jetty-compression-common-12.1.8.jar
+    - jetty-compression-gzip-12.1.8.jar
+    - jetty-http-12.1.8.jar
+    - jetty-io-12.1.8.jar
+    - jetty-util-12.1.8.jar
+    - jetty-websocket-core-client-12.1.8.jar
+    - jetty-websocket-core-common-12.1.8.jar
+    - jetty-websocket-jetty-api-12.1.8.jar
+    - jetty-websocket-jetty-client-12.1.8.jar
+    - jetty-websocket-jetty-common-12.1.8.jar
  * SnakeYaml -- snakeyaml-2.0.jar
  * Google Error Prone Annotations - error_prone_annotations-2.45.0.jar
  * Javassist -- javassist-3.25.0-GA.jar
@@ -434,7 +438,6 @@ MIT License
 CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
  * Java Annotations API
     - jakarta.activation-1.2.2.jar
- * WebSocket Server API -- javax.websocket-client-api-1.0.jar
  * HK2 - Dependency Injection Kernel
     - hk2-api-2.6.1.jar
     - hk2-locator-2.6.1.jar

jetty-upgrade/bookkeeper-prometheus-metrics-provider/pom.xml

@@ -0,0 +1,85 @@
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.pulsar</groupId>
+    <artifactId>jetty-upgrade</artifactId>
+    <version>4.0.10-SNAPSHOT</version>
+  </parent>
+  <artifactId>pulsar-bookkeeper-prometheus-metrics-provider</artifactId>
+  <name>Apache Pulsar :: BookKeeper Stats Providers :: Prometheus</name>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.bookkeeper.stats</groupId>
+      <artifactId>bookkeeper-stats-api</artifactId>
+      <version>${bookkeeper.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>io.prometheus</groupId>
+      <artifactId>simpleclient</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.prometheus</groupId>
+      <artifactId>simpleclient_hotspot</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.prometheus</groupId>
+      <artifactId>simpleclient_servlet</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-buffer</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.ee8</groupId>
+      <artifactId>jetty-ee8-servlet</artifactId>
+    </dependency>
+
+
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.yahoo.datasketches</groupId>
+      <artifactId>sketches-core</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.bookkeeper</groupId>
+      <artifactId>testtools</artifactId>
+      <version>${bookkeeper.version}</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>