J, The reported vulnerability is CVE-2002-1858 which is an information disclosure vulnerability via the WEB-INF folder. Jenkins is the only application we've installed on the server and I've verified that Winstone does, in fact, have the vulnerability present. Since I am not sure how the scan tool detects this vulnerability I am equally unsure why it would confuse it with Oracle Application Server, but I would guess that it simply inferred OAS's presence based on the vulnerability being detected.
I was hoping that seeking an exemption would be a more efficient solution than setting up a seperate application server as there is significant bureaucracy involved when installing new applications on a managed asset (as this exercise attests). If it isn't possible or practical to get correspondence stating that Winstone cannot be patched to remediate the vulnerability I can look into other options but I wanted to try this avenue first. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1858 https://issues.jenkins-ci.org/browse/JENKINS-11538 Thanks for the response. On Apr 6, 4:09 pm, johno <[email protected]> wrote: > Hi John, > > Can you be more specific about what patch the vulnerability scanner suggests > or give more information about the service / vulnerability it found? It > seems strange it would confuse Winstone servlet container with Oracle > Application Server. > > That said, Winstone is not the only choice for running Jenkins. You can also > run Jenkins in a servlet container of your choice eg. Tomcat / Jetty. > > Best of luck, > > J > > -- > View this message in > context:http://jenkins.361315.n4.nabble.com/Verification-of-inability-to-reme... > Sent from the Jenkins users mailing list archive at Nabble.com.
