If you are using OCI Java SDK, and you see this CVE (CVE-2024-6763) flagged in your security scan, it may be due to a transitive dependency on org.eclipse.jetty:jetty-http. In such cases, you will need to manually override and update the affected Jetty version, since the SDK cannot directly update the Jetty dependency version because of below mentioned limitations.

Description

This vulnerability affects Jetty’s jetty-http module. The vulnerability primarily affects applications that use the HttpURI class directly for URI validation or security checks. Jetty’s internal usage of this class is not directly vulnerable.

OCI Java SDK Usage

The SDK does not directly depend on the jetty-http module. The package is pulled transitively via org.eclipse.jetty.websocket:websocket-server → jetty-server → jetty-http. The SDK currently uses Jetty version 9.4.57.v20241219, which includes the official fix for this vulnerability. Despite this, security scanners and repositories like Maven Central may continue to flag the dependency as vulnerable because Jetty 9.4.x is now EOL (end of life), and security scanners often treat all EOL versions as risky regardless of patches.

Why SDK Cannot Upgrade to Jetty 10+

Upgrading to the latest Jetty version (12.0.12 or later) would resolve the vulnerability, but Jetty 12+ requires JDK 17 or newer. Since the SDK must remain compatible with JDK 8, upgrading to Jetty 12 is not feasible at this time.

References

• GitHub Advisory for CVE-2024-6763
• Jetty Project Security Advisory
• Jetty 9.4.57 Release and CVE Discussion