Hi everyone, I'm proposing upgrading from Jetty 9.4.58 to Jetty 12.1.8 in the 4.0.x branch to address multiple CVEs in Jetty 9.4.x:
- CVE-2026-5795 (High) - affects <=9.4.60 - CVE-2026-2332 (High) - affects <=9.4.59 - CVE-2025-11143 (Low) - affects <=9.4.58 Jetty 9.4.x is EOL and only receives commercial non-OSS support. These CVEs will not be fixed in the open-source 9.4.x line. Jetty 12.1.x is the current actively maintained release series with long-term support. The implementation is available in PR https://github.com/apache/pulsar/pull/25534, which cherry-picks and adapts the Jetty 12 upgrade work already done on branch-4.2 and master (#25100, #25155, #25169) to branch-4.0. Breaking changes: There are a few breaking changes to be aware of: 1. AdditionalServlet interface change The AdditionalServlet interface has a breaking change because the existing interface is coupled directly to the Jetty 9 ServletHolder class. This coupling has been removed. 2. Java version requirement for Athenz authentication pulsar-client-auth-athenz requires Java 17+ since it depends on Jetty which requires Java 17+ after the upgrade. The Pulsar Client and Pulsar Admin client themselves remain Java 8+ compatible. 3. Prometheus metrics provider class relocation The Prometheus metrics provider classes for BookKeeper and ZooKeeper have been relocated, because the default classes depended on Jetty 9.4.x. If you are using the previous default configuration, update the following settings: bookkeeper.conf / statsProviderClass: Old: org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider New: org.apache.pulsar.metrics.prometheus.bookkeeper.PrometheusMetricsProvider zookeeper.conf / metricsProvider.className: Old: org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider New: org.apache.pulsar.metrics.prometheus.zookeeper.PrometheusMetricsProvider The high-severity CVEs in Jetty 9.4.x are a concrete security concern for Pulsar deployments, with severity depending on exposure and configuration. They are also a practical blocker under many corporate security policies, where high-severity (CVSS >7.0) CVEs are not acceptable in dependencies or deployed software. Since Jetty 9.4.x is EOL without open-source fixes, the only viable path forward is upgrading to a supported Jetty version. The breaking changes are limited in scope -- the AdditionalServlet interface change affects a plugin API with likely few external implementations, the Athenz Java 17 requirement only affects that specific auth provider, and the metrics provider class names are a straightforward configuration update. I'd appreciate feedback on this proposal. I'll proceed with merging https://github.com/apache/pulsar/pull/25534 after 72 hours unless there are objections. Thanks, Lari
