Thank you very much for this proactive heads up! Jason
On Wed, Sep 18, 2013 at 8:01 AM, Abhijit Rajwade <abhijit_rajw...@bmc.com>wrote: > BMC acknowledges the Jetty vulnerability and we are working on a plan to > address this. > > Here are more details on the issues involved. > > 1. DevStudio and Data Import Tool > - Eclipse framework which is a Third party bundles Jetty for use by the > Eclipse Help System. > - DevStudio and Data Import Tool are Eclipse plugins that use the Eclipse > Help System. > - Note that DevStudio and Data Import Tool are typically used by Admin > Users and are not installed on all boxes. > - We are investigating if we can disable the Eclipse Help System and > instead make it point to BMC online documentation portal doc.bmc.com for > Help on DevStudio and Data Import Tool. > > 2. Jetty used by AR 8.1 Installers > - AR 8.1 uses Pentaho Data Integration (PDI 4.1.0 Kettle Project) which is > a Third party component. > - The Carte Web Server (part of Pentaho Data Integration – PDI 4.1.0) > extends Jetty. > - Carte is internally launched by installers for starting ETL Tasks as > part of the Install process. > - In general, Carte is not a general Web Server that will be accessed by > other User’s. > - Latest PDI version 4.4 also uses the vulnerable Jetty version. > - PDI is tightly integrated with the Carte Web Server only (embedded > Jetty) and does not give an option of using any other Web Server. > - We are investigating re-building PDI with a Jetty version that fixes the > Jetty vulnerability. > > For both issues while the Jetty vulnerability exists in a Third party > component. This vulnerability exists only for Admin Users using these > products on certain boxes. Vulnerability does not exist on all boxes. > Vulnerability does not exist for the end users. > > The above 2 issues are tracked internally as defects and we are working on > a plan to address these in a Service Pack. > > If anyone has any specific concerns on the Jetty vulnerability mentioned > above or has some useful inputs to share, do get back to us. > > Abhijit Rajwade and Ravishankar Munukutla > BMC Software > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"