Qualys scans are identifying Eclipse Jetty Vulnerabilities. It shows we are running 9.1.3v20140225 with Powerchute Network Shutdown version 4.2. The most recent version on eclipse.org is 9.4.20.v20190813. Will this work with PCNS 4.2?
You should update to PCNS 4.3 that utilizes Jetty 9.4.12.
Will that run on 2008 R2?
It is not an officially support OS however it should work.
I have updated to PCNS 4.3 on Server 2008R2 with no problems.
The Qualys scans are still showing 2 Eclipse Jetty vulnerabilities:
CVE-2019-10241: the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Versions Affected:9.2.26 and older 9.3.25 and older9.4.15 and older
QID Detection Logic:(Unauthenticated)It looks at http banner to check for vulnerable version of Jetty.
that utilizes Jetty 9.4.12.
The server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a Default Handler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Versions Affected:7.x (all versions) 8.x (all versions) 9.2.27.v20190403 and older 9.3.26.v20190403 and older 9.4.16.v20190411 and older QID Detection Logic:(Unauthenticated)It looks at http banner to check for vulnerable version of Jetty.
Customers are advised to refer to Bug 546577 for more information.
Patch:Following are links for downloading patches to fix the vulnerabilities:
This is not officially support however, you can upgrade the Jetty to 9.4.20. First stop the PCNS server. From command prompt as admin enter net stop pcns1
Second go to C:\Program Files\APC\PowerChute\group1\lib and copy these files to a new folder. This step is to save the files in case you need them at a later date.
Third download Jetty 9.4.20, open the lib folder and copy these file to C:\Program Files\APC\PowerChute\group1\lib
Finally, restart PCNS1 service.
Thanks so much. It worked with no problems. Qualys scans were happy. I have updated all my servers.
Choose a location