Excellent. 8) That's the ammo I needed. I now suspect they didn't install it either, so we have to consider a possible false positive from the scanner.
Thanks! -al -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Dale Jones Sent: Wednesday, July 10, 2013 12:11 PM To: [email protected] Subject: Re: The role Jetty plays High Level - Jetty and Tomcat are comparable applications. (Jetty and Tomcat are often cast as direct competitors.) I have never seen ARS Install Jetty or even attached to Jetty. Most likely related to someone else doing installs or testing on your server. I would recommend ARS to use Tomcat and have Jetty uninstalled. Check directory and see when Jetty was installed, most likely not same date as ARS. Take Care Dale Jones DCS Raleigh, NC 919-523-6034 ________________________________________ From: Action Request System discussion list(ARSList) [[email protected]] on behalf of Differ, Alfred W CTR PHD NSWC, 210 [[email protected]] Sent: Wednesday, July 10, 2013 2:47 PM To: [email protected] Subject: The role Jetty plays Hi all, I'm learning to install the 8.1 ITSM product line on a windows 2008 R2 environment for development uses. I typically get the IIS webserver and Tomcat (7) running independently and then do the Remedy installation steps. I had some issues with the preconfigured suite installer that I won't bother going into in detail, and decided to install the ARS platform and do things the old fashioned way while I learned. What has happened is I have the 8.1 ARS platform installed and it starts ok, but my security guys are reporting security risks against what I've done and I'm trying to learn from it. They are seeing an old version of Jetty that has a known hash collision vulnerability and advising I update it. Since I never saw anything mentioning Jetty during the install, my first task to find out which installer did what. So my questions are as follows: On the application tier, what role does Jetty play if any? What tools make use of this feature? (I might be able to skip installing some parts for now while I learn.) It is possible this has nothing to do with the Remedy installation since my sys admins also do things on the server without 'fully' understanding the implications. I might be barking up the wrong tree. If anyone has any ideas on what the security finding might suggest, though, I'd appreciate it. (CVE-2011-4461) -al _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
smime.p7s
Description: S/MIME cryptographic signature
