Loading ...

eclipse jetty vulnerabilities - PCNS 4.2 | UPS Management Devices & PowerChute Software

Home » Spaces » UPS Management Devices & PowerChute Software » discussion » General » eclipse jetty vulnerabilities - PCNS 4.2

eclipse jetty vulnerabilities - PCNS 4.2

Discussion in UPS Management Devices & PowerChute Software started by Julie , 8/19/2019 2:50 PM
Login to follow, share, and participate in this space.
Not a member?Join now
Announcement 

Please review Schneider Electric Knowledge Base articles for assistance with most technical support questions.  http://www.apc.com/us/en/faqs

Posted in: General

eclipse jetty vulnerabilities - PCNS 4.2

Subscribe to RSS
  • jlgonya

    Qualys scans are identifying Eclipse Jetty Vulnerabilities.  It shows we are running 9.1.3v20140225 with Powerchute Network Shutdown version 4.2.  The most recent version on eclipse.org is 9.4.20.v20190813.  Will this work with PCNS 4.2?  

  • wpasquil

    Hi,

    You should update to PCNS 4.3 that utilizes Jetty 9.4.12.

  • jlgonya

    Will that run on 2008 R2?

  • wpasquil

    Hi,

    It is not an officially support OS however it should work. 

  • jlgonya

    I have updated to PCNS 4.3 on Server 2008R2 with no problems.

    The Qualys scans are still showing 2 Eclipse Jetty vulnerabilities:

    QID:
    13485
    Category:
    CGI
    CVE ID:
    CVE-2019-10241
    Vendor Reference
    Bug 546121
    Service Modified:
    05/22/2019
    PCI Vuln:
    Yes
    CVSS Base:
    4.3
    CVSS Temporal:
    3.2
    CVSS3 Base:
    6.1
    CVSS3 Temporal:
    5.3
    THREAT:
    Eclipse Jetty is a Java HTTP server and Java Servlet container. While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

    CVE-2019-10241: the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

    Versions Affected:
    9.2.26 and older 
    9.3.25 and older
    9.4.15 and older

    QID Detection Logic:(Unauthenticated)
    It looks at http banner to check for vulnerable version of Jetty.

     

    that utilizes Jetty 9.4.12.

    QID:

    13487
    Category:
    CGI
    CVE ID:
    CVE-2019-10247
    Vendor Reference
    Bug 546577
    Service Modified:
    05/13/2019
    PCI Vuln:
    Yes
    CVSS Base:
    5
    CVSS Temporal:
    3.7
    CVSS3 Base:
    5.3
    CVSS3 Temporal:
    4.6
    THREAT:
    Eclipse Jetty is a Java HTTP server and Java Servlet container.While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.

    The server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a Default Handler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

    Versions Affected:
    7.x (all versions) 8.x (all versions) 9.2.27.v20190403 and older 9.3.26.v20190403 and older 9.4.16.v20190411 and older QID Detection Logic:(Unauthenticated)
    It looks at http banner to check for vulnerable version of Jetty.

    IMPACT:
    On successful exploitation it can lead to Disclosure of system information.
    SOLUTION:

    Customers are advised to refer to Bug 546577 for more information.

    Patch:
    Following are links for downloading patches to fix the vulnerabilities:

    Bug 546577

    COMPLIANCE:
    Not Applicable
    EXPLOITABILITY:
    There is no exploitability information for this vulnerability.
    ASSOCIATED MALWARE:
    There is no malware information for this vulnerability.
    RESULTS:
    Vulnerable version of Eclipse Jetty detected on port 3052 - Jetty(9.4.12.v20180830)

     

  • wpasquil

    Hi,

    This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1

    Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date. 

    1. Jetty-continuation-9.4.12v20280830.jar
    2. jetty-http-9.4.12.v20180830.jar
    3. jetty-io-9.4.12.v20180830.jar
    4. jetty-security-9.4.12.v20180830.jar
    5. jetty-server-9.4.12.v20180830.jar
    6. jetty-servlet-9.4.12.v20180830.jar
    7. jetty-util-9.4.12.v20180830.jar
    8. jetty-webapp-9.4.12.v20180830.jar
    9. jetty-xml-9.4.12.v20180830.jar

    Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib 

    1. jetty-continuation-9.4.20.v20190813.jar
    2. jetty-http-9.4.20.v20190813.jar
    3. jetty-io-9.4.20.v20190813.jar
    4. jetty-security-9.4.20.v20190813.jar
    5. jetty-server-9.4.20.v20190813.jar
    6. jetty-servlet-9.4.20.v20190813.jar
    7. jetty-util-9.4.20.v20190813.jar
    8. jetty-webapp-9.4.20.v20190813.jar
    9. jetty-xml-9.4.20.v20190813

    Finally, restart PCNS1 service. 

  • jlgonya

    Bill,

    Thanks so much.  It worked with no problems.  Qualys scans were happy.  I have updated all my servers.

Page 1 of 1 (7 items)
Choose your language:  
powered by Communifire
Version 6.0.7207.29305