Is there a way to manually update the version of the Jetty jar files that are part of the Dynatrace AppMon installation of 18.104.22.1684?
More info for CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE...
Jetty is a buried component of AppMon and as such we do not generally support allowing customers to update individual components outside of normal product updating procedure. I'm sure you can appreciate the testing and validation of such potential changes would be daunting.
Instead I suggest you update AppMon using normal patching and updating procedures. I'm sure you're aware that your version is already in "Limited Support" and soon (Sept 2018) will be dropped from support.
Thanks for the information. I was under the impression that i was running the latest version of AppMon. We are using the version that was released in April, 22.214.171.1244 built on 2018-04-10.
Is there a way to confirm what versions of jetty the 7.0 and 7.1 AppMon are using?
I just double-checked my local 7.0.5 and 7.1.5 installations and they both come with jetty 9.2.13.
I'm also not aware of any recent jetty updates that we did, so I'm pretty sure that this is still accurate.
so yes that would mean that this jetty instance might be vulnerable to this CVE. however, I'm wondering if this CVE really is of that much importance. after all to my understanding it's "only" about information disclosure of the base resource directory on the server (most probably something like e.g. /opt/dynatrace/server/... on linux). the CVE so far does not even have a risk score (CVSS), but I guess it will be really minor.
how or why exactly are you referring to exactly this CVE?