TOR-017 — website – Outdated Jetty version on metrics.torproject.org

Technical description:

While performing a deep dive into the codebase of the Tor metrics website, we found that it uses an outdated Jetty version from 2015. However, with the Jetty server and codebase of the project, older dependencies that suffer from publicly known security vulnerabilities are shipped. We then confirmed that the public site https://metrics.torproject.org/ uses a Jetty version from 2015 as shown in the HTTP response below.

Request

GET / HTTP/1.1
Host: metrics.torproject.org
Content-Length: 2

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jul 2023 16:38:38 GMT
Server: Jetty(9.2.z-SNAPSHOT)

A more detailed specification of the probable Jetty version (9.2.21.v20170120) can be found in a public repository. In tpo/network-health/metrics/website/-/blob/master/build.xml:

<?xml version="1.0"?>
<project default="usage" name="metrics-web" basedir="."
xmlns:ivy="antlib:org.apache.ivy.ant">
<property name="javadoc-title" value="MetricsWeb API Documentation"/>
<property name="jetty.version" value="-9.2.21.v20170120" />

Impact:

Due to limited time, verifying the Jetty server for various known vulnerabilities, such as CVE-2021-28165 was not feasible. However, the impact of the known vulnerabilities can range from pre-auth denial of service to remote code execution.

Recommendation:

Upgrade the Jetty server to the latest version to prevent possible attacks on Tor's infrastructure.