You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@ace.apache.org by "Robert M. Mather" <ro...@gmail.com> on 2015/10/09 16:13:21 UTC

Security flag because Jetty out of date

We're having issues with security audit scans of our servers because the
version of Jetty embedded in ACE is out of date and has a vulnerability.
Here's the message:

 Jetty HTTP Server "Cookie Dump Servlet" Escape Sequence Injection
Vulnerability

The version of Jetty HTTP server in use has a vulnerability that could
allow an attacker to inject certain arbitrary content into web server
logfiles. This could cause log-reading or -monitoring programs to interpret
this content as commands and take actions on the system.

Is there some reason for the version of Jetty being used? Has anyone looked
into the difficulty of upgrading?

Thanks,

Robert