I am trying to get approval to run CF11 in production environment, and scans keep flagging a Jetty vulnerability -- CVE-2011-4461 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4461). It says the solution is to "upgrade Jetty to version 8.1.0.RC2 or newer."
Can I just upgrade Jetty and keep everything together ColdFusion? It doesn't seem like that would work or, I assume, Adobe would distribute a newer version of Jetty to begin with.
I am not using remote start/stop but am using Solr ... so, I don't think disabling Jetty altogether is an option.
Has anyone else run into this? Would you be willing to share your insight? Thank you.
Trustwave Vulerability scan as picked up jetty service as keeping our PCI compliance scan from passing.
Trustwave is claiming that I need jetty versions 6.1.22 or 7.0.0 have fixed the two following issues…
Jetty HTTP server “coolie Dump Servlett” escape sequence injection vulnerability CVE-2009-4611
Jetty HTTP server hash collision denial of service vulnerability CVE-2011-4461 .
When I look at the properties of jetty.exe I’m seeing version 14.0.0 ..
I've sent the above information to the two email address listed above.