Some background information. Yes as mentioned previously Jetty and Tomcat are
somewhat related - having a similar function as web application container.
Remedy mid tier being the web application.
Jetty is designed as a lightweight web container and it also has the advantage
that it includes a web server. So for application developers it is convenient
to install - they just bundle Jetty with their application and you install full
web server, web container (and of course software providers application) in one
go.
It is possible that BMC may be considering using Jetty instead of Tomcat. But
if they have already selected Tomcat, then due to backward compatibility
issues, it would be a fairly big step to ditch Tomcat and move to Jetty.
- Original Message -
From: Longwing, Lj
Newsgroups: public.remedy.arsystem.general
To: arslist@ARSLIST.ORG
Sent: Thursday, July 11, 2013 7:22 PM
Subject: Re: The role Jetty plays
**
Open an issue with BMC on this and they may be willing to either update their
references, or provide you with directions to do so :)
On Thu, Jul 11, 2013 at 12:19 PM, Differ, Alfred W CTR PHD NSWC, 210
alfred.differ@navy.mil wrote:
Ah. Found it. Apparently there are external library references within the
diserver, data import tool, and Developer Studio that reference Jetty jar files.
This is bad news for me. I can't run ARS 8.1 with a compliance issue that
old. My security people would have my head.
Ah well... this is probably what I get for looking at the cutting edge
version. 8)
-al
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Joe D'Souza
Sent: Wednesday, July 10, 2013 5:23 PM
To: arslist@ARSLIST.ORG
Subject: Re: The role Jetty plays
Neither have I seen or known ARS to be bundled with Jetty. It has got there
some other way but not the AR System installer.
Cheers
Joe
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Dale Jones
Sent: Wednesday, July 10, 2013 3:11 PM
To: arslist@ARSLIST.ORG
Subject: Re: The role Jetty plays
High Level - Jetty and Tomcat are comparable applications. (Jetty and
Tomcat are often cast as direct competitors.)
I have never seen ARS Install Jetty or even attached to Jetty.
Most likely related to someone else doing installs or testing on your
server.
I would recommend ARS to use Tomcat and have Jetty uninstalled. Check
directory and see when Jetty was installed, most likely not same date as ARS.
Take Care
Dale Jones
DCS
Raleigh, NC
919-523-6034
From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG]
on behalf of Differ, Alfred W CTR PHD NSWC, 210 [alfred.differ@navy.mil]
Sent: Wednesday, July 10, 2013 2:47 PM
To: arslist@ARSLIST.ORG
Subject: The role Jetty plays
Hi all,
I'm learning to install the 8.1 ITSM product line on a windows 2008 R2
environment for development uses. I typically get the IIS webserver and Tomcat
(7) running independently and then do the Remedy installation steps.
I had some issues with the preconfigured suite installer that I won't
bother going into in detail, and decided to install the ARS platform and do
things the old fashioned way while I learned.
What has happened is I have the 8.1 ARS platform installed and it starts
ok, but my security guys are reporting security risks against what I've done
and I'm trying to learn from it. They are seeing an old version of Jetty that
has a known hash collision vulnerability and advising I update it. Since I
never saw anything mentioning Jetty during the install, my first task to find
out which installer did what.
So my questions are as follows:
On the application tier, what role does Jetty play if any?
What tools make use of this feature? (I might be able to skip installing
some parts for now while I learn.)
It is possible this has nothing to do with the Remedy installation since my
sys admins also do things on the server without 'fully' understanding the
implications. I might be barking up the wrong tree. If anyone has any ideas on
what the security finding might suggest, though, I'd appreciate it.
(CVE-2011-4461)
-al
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the
Answers Are, and have been for 20 years
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the
Answers Are, and have been for 20 years
___
UNSUBSCRIBE or access
