Command Center jetty vulnerability

Document ID : KB000121205
Last Modified Date : 14/11/2018
Show Technical Document Details
Issue:
Scans have detected that the Jetty version used on APM Command Center is not sufficient for security reasons.
The Jetty version being used in 10.5.2 is 9.2.11
The most recent version of Command Center at the time, 10.7 SP2, is using Jetty 9.3.14
Environment:
ACC 10.5.2, 10.7
Cause:
Versions Affected:
9.2.x - prior to 9.2.25.v20180606
9.3.x - prior to 9.3.24.v20180605
9.4.x - prior to 9.4.11.v20180605

IMPACT: On successful exploitation it can lead to Disclosure of system information, Modification of system information, Modification of user information, hijack or delete the target user's session and User access via network.
Resolution:
A version of ACC with an updated version of Jetty has been delivered as a hotfix - 10.7 Hotfix 22, reference DE387984

This fix will be available in CA APM/ACC 10.7 SP3
Additional Information:
Information relating to the vulnerability:
https://www.eclipse.org/lists/jetty-announce/msg00123.html