cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Can you manually update Jetty version in AppMon 6.5.38.1014 to address CVE-2018-12536

sam_kallman
Newcomer

Is there a way to manually update the version of the Jetty jar files that are part of the Dynatrace AppMon installation of 6.5.38.1014?

More info for CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE...


4 REPLIES 4

Joe_Hoffman
Dynatrace Leader
Dynatrace Leader

Jetty is a buried component of AppMon and as such we do not generally support allowing customers to update individual components outside of normal product updating procedure. I'm sure you can appreciate the testing and validation of such potential changes would be daunting.

Instead I suggest you update AppMon using normal patching and updating procedures. I'm sure you're aware that your version is already in "Limited Support" and soon (Sept 2018) will be dropped from support.


Thanks for the information. I was under the impression that i was running the latest version of AppMon. We are using the version that was released in April, 6.5.38.1014 built on 2018-04-10.

Is there a way to confirm what versions of jetty the 7.0 and 7.1 AppMon are using?


Joe_Hoffman
Dynatrace Leader
Dynatrace Leader

Sam, I do not know the version that's inside 7.0 or 7.1. I suggest you open a support case to drive that question to the correct people.


c_schwarzbauer
Dynatrace Champion
Dynatrace Champion

Sam,

I just double-checked my local 7.0.5 and 7.1.5 installations and they both come with jetty 9.2.13.
I'm also not aware of any recent jetty updates that we did, so I'm pretty sure that this is still accurate.

so yes that would mean that this jetty instance might be vulnerable to this CVE. however, I'm wondering if this CVE really is of that much importance. after all to my understanding it's "only" about information disclosure of the base resource directory on the server (most probably something like e.g. /opt/dynatrace/server/... on linux). the CVE so far does not even have a risk score (CVSS), but I guess it will be really minor.

how or why exactly are you referring to exactly this CVE?

best,
Christian