BMC acknowledges the Jetty vulnerability and we are working on a plan to address this.
Here are more details on the issues involved. 1. DevStudio and Data Import Tool - Eclipse framework which is a Third party bundles Jetty for use by the Eclipse Help System. - DevStudio and Data Import Tool are Eclipse plugins that use the Eclipse Help System. - Note that DevStudio and Data Import Tool are typically used by Admin Users and are not installed on all boxes. - We are investigating if we can disable the Eclipse Help System and instead make it point to BMC online documentation portal doc.bmc.com for Help on DevStudio and Data Import Tool. 2. Jetty used by AR 8.1 Installers - AR 8.1 uses Pentaho Data Integration (PDI 4.1.0 Kettle Project) which is a Third party component. - The Carte Web Server (part of Pentaho Data Integration – PDI 4.1.0) extends Jetty. - Carte is internally launched by installers for starting ETL Tasks as part of the Install process. - In general, Carte is not a general Web Server that will be accessed by other User’s. - Latest PDI version 4.4 also uses the vulnerable Jetty version. - PDI is tightly integrated with the Carte Web Server only (embedded Jetty) and does not give an option of using any other Web Server. - We are investigating re-building PDI with a Jetty version that fixes the Jetty vulnerability. For both issues while the Jetty vulnerability exists in a Third party component. This vulnerability exists only for Admin Users using these products on certain boxes. Vulnerability does not exist on all boxes. Vulnerability does not exist for the end users. The above 2 issues are tracked internally as defects and we are working on a plan to address these in a Service Pack. If anyone has any specific concerns on the Jetty vulnerability mentioned above or has some useful inputs to share, do get back to us. Abhijit Rajwade and Ravishankar Munukutla BMC Software _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"