eclipse jetty vulnerabilities - PCNS 4.2

Anonymous user · ‎2021-06-30

Qualys scans are identifying Eclipse Jetty Vulnerabilities. It shows we are running 9.1.3v20140225 with Powerchute Network Shutdown version 4.2. The most recent version on eclipse.org is 9.4.20.v20190813. Will this work with PCNS 4.2?

BillP · ‎2021-06-30

Hi,

This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1

Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date.

Jetty-continuation-9.4.12v20280830.jar
jetty-http-9.4.12.v20180830.jar
jetty-io-9.4.12.v20180830.jar
jetty-security-9.4.12.v20180830.jar
jetty-server-9.4.12.v20180830.jar
jetty-servlet-9.4.12.v20180830.jar
jetty-util-9.4.12.v20180830.jar
jetty-webapp-9.4.12.v20180830.jar
jetty-xml-9.4.12.v20180830.jar

Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib

jetty-continuation-9.4.20.v20190813.jar
jetty-http-9.4.20.v20190813.jar
jetty-io-9.4.20.v20190813.jar
jetty-security-9.4.20.v20190813.jar
jetty-server-9.4.20.v20190813.jar
jetty-servlet-9.4.20.v20190813.jar
jetty-util-9.4.20.v20190813.jar
jetty-webapp-9.4.20.v20190813.jar
jetty-xml-9.4.20.v20190813

Finally, restart PCNS1 service.

See Answer In Context

BillP · ‎2021-06-30

Hi,

You should update to PCNS 4.3 that utilizes Jetty 9.4.12.

Anonymous user · ‎2021-06-30

Will that run on 2008 R2?

BillP · ‎2021-06-30

Hi,

It is not an officially support OS however it should work.

Anonymous user · ‎2021-06-30

I have updated to PCNS 4.3 on Server 2008R2 with no problems.

The Qualys scans are still showing 2 Eclipse Jetty vulnerabilities:

QID:: 13485
Category:: CGI
CVE ID:: CVE-2019-10241
Vendor Reference: Bug 546121; Service Modified:; 05/22/2019; PCI Vuln:; Yes

CVSS Base:: 4.3
CVSS Temporal:: 3.2
CVSS3 Base:: 6.1
CVSS3 Temporal:: 5.3

THREAT:

Eclipse Jetty is a Java HTTP server and Java Servlet container. While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

CVE-2019-10241: the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Versions Affected:
9.2.26 and older
9.3.25 and older
9.4.15 and older

QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty.

that utilizes Jetty 9.4.12.

QID:

13487
Category:: CGI
CVE ID:: CVE-2019-10247
Vendor Reference: Bug 546577
Service Modified:: 05/13/2019
PCI Vuln:: Yes

CVSS Base:: 5
CVSS Temporal:: 3.7
CVSS3 Base:: 5.3
CVSS3 Temporal:: 4.6

THREAT:

Eclipse Jetty is a Java HTTP server and Java Servlet container.While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

The server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a Default Handler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Versions Affected:
7.x (all versions) 8.x (all versions) 9.2.27.v20190403 and older 9.3.26.v20190403 and older 9.4.16.v20190411 and older QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty.

IMPACT:

On successful exploitation it can lead to Disclosure of system information.

SOLUTION:

Customers are advised to refer to Bug 546577 for more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Bug 546577

COMPLIANCE:

Not Applicable

EXPLOITABILITY:

There is no exploitability information for this vulnerability.

ASSOCIATED MALWARE:

There is no malware information for this vulnerability.

RESULTS:

Vulnerable version of Eclipse Jetty detected on port 3052 - Jetty(9.4.12.v20180830)

BillP · ‎2021-06-30

Hi,

This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1

Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date.

Jetty-continuation-9.4.12v20280830.jar
jetty-http-9.4.12.v20180830.jar
jetty-io-9.4.12.v20180830.jar
jetty-security-9.4.12.v20180830.jar
jetty-server-9.4.12.v20180830.jar
jetty-servlet-9.4.12.v20180830.jar
jetty-util-9.4.12.v20180830.jar
jetty-webapp-9.4.12.v20180830.jar
jetty-xml-9.4.12.v20180830.jar

Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib

jetty-continuation-9.4.20.v20190813.jar
jetty-http-9.4.20.v20190813.jar
jetty-io-9.4.20.v20190813.jar
jetty-security-9.4.20.v20190813.jar
jetty-server-9.4.20.v20190813.jar
jetty-servlet-9.4.20.v20190813.jar
jetty-util-9.4.20.v20190813.jar
jetty-webapp-9.4.20.v20190813.jar
jetty-xml-9.4.20.v20190813

Finally, restart PCNS1 service.

Anonymous user · ‎2021-06-30

Bill,

Thanks so much. It worked with no problems. Qualys scans were happy. I have updated all my servers.