logzio / guice-jersey Goto Github PK

Hi,
I am trying to use this project to start an embedded jetty server with TLS support using keystore and SSLContextFactory (https://www.eclipse.org/jetty/documentation/9.4.x/embedded-examples.html#embedded-many-connectors), but could not find a way to add an additional connector to the JerseyConfigurationBuilder object. Is this supported? If yes, then can you point me to an example or changes that I would need to do to implement this.

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-19.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

path: /root/.m2/repository/com/google/guava/guava/19.0/guava-19.0.jar

Library home page: https://github.com/google/guava/guava

Dependency Hierarchy:

• guice-4.1.0.jar (Root Library)
  • ❌ guava-19.0.jar (Vulnerable Library)

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Step up your Open Source Security Game with WhiteSource here

Are you guys looking into eclipse-ee4j/jersey#3692 and will this project enable all of us jersey fans to once again be able to build war files without having to go through all the trouble of maintaining web.xml-files?

There doesn't seem to be a way to access the jetty server instance so that I can enable jetty request logging. Typically you would just do server.setRequestLog(new Slf4jRequestLog())

It would also be nice to also be able to control the thread pool, etc.

Hi,

I wonder if there's plan to upgrade the jetty dependency to version 10 or 11? The latest guice-jersey 1.0.16 depends on jetty version 9.4.28.v20200408 which has some vulnerability issues https://mvnrepository.com/artifact/io.logz/guice-jersey/1.0.16.

Thanks,
Zhenfei

Hi! I'm not sure, that is bug, but by default JacksonJsonProvider.class not registrated in JerseyConfiguration module.

I have situation:
Simple controller:

@Path("/version")
public class VersionController {
    private ApplicationInfo applicationInfo;

    @Inject
    public VersionController(ApplicationInfo applicationInfo) {
        this.applicationInfo = applicationInfo;
    }

    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public ApplicationInfo getInfo() {
        return applicationInfo;
    }
}

where ApplicationInfo is POJO binded as singleton with @singleton annotation.
I run in IDE, go to /version endpoint — all goes good.
I build package with maven, run it and get error MessageBodyWriter not found for media type=application/json, type=class com.my.package.ApplicationInfo, genericType=class com.my.package.ApplicationInfo.

Other mime-types work fine.

I found solution. It's necessary to manual register JacksonJsonProvider.class in JerseyConfiguration:

        JerseyConfiguration configuration = JerseyConfiguration.builder()
                .addPackage("com.my.package")
                .registerClasses(JacksonJsonProvider.class) // <-- this
                .addPort(1234)
                .build(); 

Correct me if i'm wrong

PS: Thanks a lot for your lib. I have same troubles, you solution made my life easier :)