Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

We Value Your Feedback!
Could you please spare a few minutes to share your thoughts on Cloud Connected vs On-Premise Services. Your feedback can help us shape the future of services.
Learn more about the survey or Click here to Launch the survey
Schneider Electric Services Innovation Team!

eclipse jetty vulnerabilities - PCNS 4.2

APC UPS Data Center & Enterprise Solutions Forum

Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • eclipse jetty vulnerabilities - PCNS 4.2
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5060
voidstar_apc
Janeway voidstar_apc
196
Erasmus_apc
Sisko Erasmus_apc
112
Teken
Spock Teken
110
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
Anonymous user
Not applicable

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:37 AM

0 Likes
6
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:37 AM

eclipse jetty vulnerabilities - PCNS 4.2

Qualys scans are identifying Eclipse Jetty Vulnerabilities.  It shows we are running 9.1.3v20140225 with Powerchute Network Shutdown version 4.2.  The most recent version on eclipse.org is 9.4.20.v20190813.  Will this work with PCNS 4.2?  

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
Reply

Link copied. Please paste this link to share this article on your social media post.

  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

Hi,

This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1

Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date. 

  1. Jetty-continuation-9.4.12v20280830.jar
  2. jetty-http-9.4.12.v20180830.jar
  3. jetty-io-9.4.12.v20180830.jar
  4. jetty-security-9.4.12.v20180830.jar
  5. jetty-server-9.4.12.v20180830.jar
  6. jetty-servlet-9.4.12.v20180830.jar
  7. jetty-util-9.4.12.v20180830.jar
  8. jetty-webapp-9.4.12.v20180830.jar
  9. jetty-xml-9.4.12.v20180830.jar

Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib 

  1. jetty-continuation-9.4.20.v20190813.jar
  2. jetty-http-9.4.20.v20190813.jar
  3. jetty-io-9.4.20.v20190813.jar
  4. jetty-security-9.4.20.v20190813.jar
  5. jetty-server-9.4.20.v20190813.jar
  6. jetty-servlet-9.4.20.v20190813.jar
  7. jetty-util-9.4.20.v20190813.jar
  8. jetty-webapp-9.4.20.v20190813.jar
  9. jetty-xml-9.4.20.v20190813

Finally, restart PCNS1 service. 

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Replies 6
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:37 AM

0 Likes
0
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:37 AM

Hi,

You should update to PCNS 4.3 that utilizes Jetty 9.4.12.

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

Will that run on 2008 R2?

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

Hi,

It is not an officially support OS however it should work. 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1775
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

I have updated to PCNS 4.3 on Server 2008R2 with no problems.

The Qualys scans are still showing 2 Eclipse Jetty vulnerabilities:

QID:
13485
Category:
CGI
CVE ID:
CVE-2019-10241
Vendor Reference
Bug 546121
Service Modified:
05/22/2019
PCI Vuln:
Yes
CVSS Base:
4.3
CVSS Temporal:
3.2
CVSS3 Base:
6.1
CVSS3 Temporal:
5.3
THREAT:
Eclipse Jetty is a Java HTTP server and Java Servlet container. While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

CVE-2019-10241: the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Versions Affected:
9.2.26 and older 
9.3.25 and older
9.4.15 and older

QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty.

 

that utilizes Jetty 9.4.12.

QID:

13487
Category:
CGI
CVE ID:
CVE-2019-10247
Vendor Reference
Bug 546577
Service Modified:
05/13/2019
PCI Vuln:
Yes
CVSS Base:
5
CVSS Temporal:
3.7
CVSS3 Base:
5.3
CVSS3 Temporal:
4.6
THREAT:
Eclipse Jetty is a Java HTTP server and Java Servlet container.While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

The server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a Default Handler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Versions Affected:
7.x (all versions) 8.x (all versions) 9.2.27.v20190403 and older 9.3.26.v20190403 and older 9.4.16.v20190411 and older QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty.

IMPACT:
On successful exploitation it can lead to Disclosure of system information.
SOLUTION:

Customers are advised to refer to Bug 546577 for more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Bug 546577

COMPLIANCE:
Not Applicable
EXPLOITABILITY:
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Vulnerable version of Eclipse Jetty detected on port 3052 - Jetty(9.4.12.v20180830)

 

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1776
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:02 AM . Last Modified: ‎2024-03-08 04:36 AM

Hi,

This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1

Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date. 

  1. Jetty-continuation-9.4.12v20280830.jar
  2. jetty-http-9.4.12.v20180830.jar
  3. jetty-io-9.4.12.v20180830.jar
  4. jetty-security-9.4.12.v20180830.jar
  5. jetty-server-9.4.12.v20180830.jar
  6. jetty-servlet-9.4.12.v20180830.jar
  7. jetty-util-9.4.12.v20180830.jar
  8. jetty-webapp-9.4.12.v20180830.jar
  9. jetty-xml-9.4.12.v20180830.jar

Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib 

  1. jetty-continuation-9.4.20.v20190813.jar
  2. jetty-http-9.4.20.v20190813.jar
  3. jetty-io-9.4.20.v20190813.jar
  4. jetty-security-9.4.20.v20190813.jar
  5. jetty-server-9.4.20.v20190813.jar
  6. jetty-servlet-9.4.20.v20190813.jar
  7. jetty-util-9.4.20.v20190813.jar
  8. jetty-webapp-9.4.20.v20190813.jar
  9. jetty-xml-9.4.20.v20190813

Finally, restart PCNS1 service. 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 04:03 AM . Last Modified: ‎2024-03-08 04:36 AM

0 Likes
0
1776
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 04:03 AM . Last Modified: ‎2024-03-08 04:36 AM

Bill,

Thanks so much.  It worked with no problems.  Qualys scans were happy.  I have updated all my servers.

Reply

Link copied. Please paste this link to share this article on your social media post.

Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of