ace-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert M. Mather" <>
Subject Security flag because Jetty out of date
Date Fri, 09 Oct 2015 14:13:21 GMT
We're having issues with security audit scans of our servers because the
version of Jetty embedded in ACE is out of date and has a vulnerability.
Here's the message:

 Jetty HTTP Server "Cookie Dump Servlet" Escape Sequence Injection

The version of Jetty HTTP server in use has a vulnerability that could
allow an attacker to inject certain arbitrary content into web server
logfiles. This could cause log-reading or -monitoring programs to interpret
this content as commands and take actions on the system.

Is there some reason for the version of Jetty being used? Has anyone looked
into the difficulty of upgrading?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message