Deprecate CGI Servlet - CVE-2023-36479

[sbordet]

Jetty version(s)
9+

Description
Class CGI should be deprecated for removal.

[fhackenberger]

@sbordet Could you please explain why it's being removed? We are using it in our production set-up to serve small generated image files. Having to set-up a separate webserver just to run the CGI scripts would break encapsulation for our app.

[joakime]

@sbordet Could you please explain why it's being removed? We are using it in our production set-up to serve small generated image files. Having to set-up a separate webserver just to run the CGI scripts would break encapsulation for our app.

See CVE-2023-36479

[fhackenberger]

Link for people wondering how to replace it (for PHP): Jetty 12 Guide: FastCGI. I don't see a direct replacement for other CGI scripts which don't have FCGI servers available though (which is our use case). @joakime do you have any hints?

[joakime]

Correct, FastCGI requires a FastCGI server.

You could copy the CGI.java into your own project and use it as-is (it is open source, just follow the license).
You will have to deal with maintaining it and try to handle the vulnerability on your own. (you might even just prune down it's functionality to something very narrowly defined for your use case)

[fhackenberger]

Sure, that always works. Would you be open for a patched CGI.java, fixing the CVE?

[sbordet]

Would you be open for a patched CGI.java, fixing the CVE?

It is a big risk to call the Process APIs to invoke an external process -- an attacker would just go:

$ git clone https://github.com/jetty/jetty.project.git
$ cd jetty.project
$ git grep "java.lang.Process"

And start pounding.

As Jetty is continuously reviewed for security vulnerabilities, this would be a liability that would need serious consideration before being re-introduced.

As a matter of fact, to my knowledge, you are the first user that reported using the CGI class.
We removed it in 12 (after long deprecation in 11) with not many concerns, thinking nobody was using it. 🤷🏼‍♂️

[joakime]

Sure, that always works. Would you be open for a patched CGI.java, fixing the CVE?

We will not be reintroducing old school CGI features to Jetty.
The risks far outweigh the use and maintenance.
Most projects that used CGI in the past have moved to FastCGI now (the last project I was aware of moving did so back in 2002).