Ah. Found it. Apparently there are external library references within the diserver, data import tool, and Developer Studio that reference Jetty jar files.
This is bad news for me. I can't run ARS 8.1 with a compliance issue that old. My security people would have my head. Ah well... this is probably what I get for looking at the cutting edge version. 8) -al -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Joe D'Souza Sent: Wednesday, July 10, 2013 5:23 PM To: arslist@ARSLIST.ORG Subject: Re: The role Jetty plays Neither have I seen or known ARS to be bundled with Jetty. It has got there some other way but not the AR System installer. Cheers Joe -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dale Jones Sent: Wednesday, July 10, 2013 3:11 PM To: arslist@ARSLIST.ORG Subject: Re: The role Jetty plays High Level - Jetty and Tomcat are comparable applications. (Jetty and Tomcat are often cast as direct competitors.) I have never seen ARS Install Jetty or even attached to Jetty. Most likely related to someone else doing installs or testing on your server. I would recommend ARS to use Tomcat and have Jetty uninstalled. Check directory and see when Jetty was installed, most likely not same date as ARS. Take Care Dale Jones DCS Raleigh, NC 919-523-6034 ________________________________________ From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Differ, Alfred W CTR PHD NSWC, 210 [alfred.differ....@navy.mil] Sent: Wednesday, July 10, 2013 2:47 PM To: arslist@ARSLIST.ORG Subject: The role Jetty plays Hi all, I'm learning to install the 8.1 ITSM product line on a windows 2008 R2 environment for development uses. I typically get the IIS webserver and Tomcat (7) running independently and then do the Remedy installation steps. I had some issues with the preconfigured suite installer that I won't bother going into in detail, and decided to install the ARS platform and do things the old fashioned way while I learned. What has happened is I have the 8.1 ARS platform installed and it starts ok, but my security guys are reporting security risks against what I've done and I'm trying to learn from it. They are seeing an old version of Jetty that has a known hash collision vulnerability and advising I update it. Since I never saw anything mentioning Jetty during the install, my first task to find out which installer did what. So my questions are as follows: On the application tier, what role does Jetty play if any? What tools make use of this feature? (I might be able to skip installing some parts for now while I learn.) It is possible this has nothing to do with the Remedy installation since my sys admins also do things on the server without 'fully' understanding the implications. I might be barking up the wrong tree. If anyone has any ideas on what the security finding might suggest, though, I'd appreciate it. (CVE-2011-4461) -al ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
smime.p7s
Description: S/MIME cryptographic signature