Jetty Vulnerabilities?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The Jetty HTTP server is supposed to be more secure and robust than
APACHE, Tomcat. Is there any place where i could find what attacks
Jetty is vulnerable to and if there are any holes which would
compromise the security of the web applications.


Re: Jetty Vulnerabilities?

Clementine wrote:
Quoted text here. Click to load it /

They only show one unfixed vulnerability relating to directory
transversal and reading of arbitrary files on the web server that has a
partial fix. in 3.0/4.0.  This is considered a medium critical flaw that
has not been patched.  The vulnerability has been open since March 04.
They don't appear to have a great record fixing the issue since it
occurred inversion 3.x and 4.0 and in excess of a year old.  That said,
it may be they can't fix the vulnerability due to how the product operates.

I would have to weigh the criticality and data exposure against my needs
before I used it.  I would be very careful in my considerations with
mission critical, sensitive applications, or with private data. But
Jetty might be ideal for an easy to use/maintain application for
inter-office/ subnet communications for example.I would not use this for
any server requiring medium to high security.

Looking at the numbers it will not handle industrial strength workloads
but for light loads it appears to be more than adequate.

Not sure how valuable my feed back is as I have never "used" the
product.  I will remedy this as I have just downloaded the product to
get familiar with.  There may be niches jetty might be useful for. Thanks,


Re: Jetty Vulnerabilities?

Thanks winged!
Quoted text here. Click to load it

I tried some of the XSS attacks and SQL injections in my own network
which uses a jetty server and I can say it does a good job of escaping
HTML and javascript even in its error pages and takes care of other
things which make such servers vulnerable. I'm not quite sure if this
server is more secure than Tomcat and other servers...but looks pretty

Re: Jetty Vulnerabilities?

Quoted text here. Click to load it

If they knew what holes there were they would presumably be plugged.
Certainly the known holes in apache are plugged. It is the unknown holes
that are the problem. And you will have a hard time finding a list of the
unknown holes.

Site Timeline