Due to the log4j bug coming out recently a client of ours did a scan of their own system to look for vulnerabilities. Our 7.9.9 Ignition gateway showed up - it’s the first row listed (IP address has been hidden)
Our clients IS employee say that one of our packages is we use is no longer supported. Is this something that would be rectified via upgrading? Is that necessary - is this an exploitable/problematic security issue?
I can ask for more information if I know what to ask - this is all I’ve been told and sent so far. Thoughts appreciated.
Jetty was upgraded from 9.3.8 to 9.4.24 in 7.9.14. Without a CVE number or version information or just… more information in general, that’s all I can think to offer you.
I have full access to the gateway and can ask for more information form the IS employee - is the CVE number something I would find on the gateway or something their security should be able to tell me?
It would be something security or the scanning tool would tell you. There may be CVEs that apply to the version of Jetty you are using, but are in code or components not used by Ignition. Automated tools aren’t smart enough to make this distinction, they just flag any version number reported in any CVE in their database.
You should use this as an excuse to upgrade to 7.9.18 anyway.
The answer I received is
it's a end of life CVE so it doesn't state that there is a vulnerability.
So I guess technically there is nothing vulnerable? I will recommend the upgrade anyways to at least get rid of the warning.