Upgrade Jetty Version to Align with Airlift HTTP Client and Server Updates to Address Security Vulnerabilities

[siddhuoo7]

Summary

This issue tracks the upgrade of the Jetty version used in Presto to align with recent updates made in the Airlift HTTP client and server. The Jetty dependency version has been updated in the Airlift project to address security vulnerabilities and improve overall performance and stability.

Details

A pull request has been raised in the Airlift project to upgrade Jetty from version 9.4.14.v20181114 to 9.4.54.v20240208 to mitigate several security vulnerabilities and incorporate various improvements. To ensure compatibility and maintain security, we need to perform a similar upgrade in the Presto project.

Changes Required

1. Remove Hardcoded Dependency Versions:
   Remove hardcoded Jetty dependency versions in individual module dependency management sections.

2. Add Jetty BOM to Root POM:
   Add the following BOM to the root pom.xml to manage Jetty dependencies centrally:

   <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-bom</artifactId>
       <version>9.4.54.v20240208</version>
       <type>pom</type>
       <scope>import</scope>
   </dependency>

Security Vulnerabilities Addressed

Upgrading to the latest Jetty version addresses multiple security vulnerabilities, including but not limited to:

• CVE-2020-27216: Path traversal in Jetty HttpURI
• CVE-2021-34428: Session fixation vulnerability in Jetty
• CVE-2021-28163: Improper input validation in Jetty
• CVE-2021-28165: Incorrect resource isolation in Jetty

Improvements and Bug Fixes

In addition to security fixes, the latest Jetty version includes several performance improvements and bug fixes, such as:

• Enhanced WebSocket handling
• Improved HTTP/2 support and stability
• Better compliance with HTTP standards
• Various memory leak fixes
• Performance optimizations and reduced CPU usage under high load