We're having issues with security audit scans of our servers because the version of Jetty embedded in ACE is out of date and has a vulnerability. Here's the message:
Jetty HTTP Server "Cookie Dump Servlet" Escape Sequence Injection Vulnerability The version of Jetty HTTP server in use has a vulnerability that could allow an attacker to inject certain arbitrary content into web server logfiles. This could cause log-reading or -monitoring programs to interpret this content as commands and take actions on the system. Is there some reason for the version of Jetty being used? Has anyone looked into the difficulty of upgrading? Thanks, Robert
