Log4j Vulnerability in jetty jetty-hightide-7.6.1.v20120215/webapps/cometd.war

Question

We are trying to mitigate the laetst log4j vulnerability in our application our scans show that jetty-hightide-7.6.1.v20120215/webapps/cometd.war is using the older version of log4j that is log4j.1 need help in ways to mitigate this.

Can we delete it from the webapps.

Answer 1

Your use of jetty-hightide-7.6.1.v20120215 has far more vulnerabilities present than just cometd.

Jetty 7.x

Jetty 7.x was declared EOL (End of Life) back in 2014.

https://www.eclipse.org/jetty/security_reports.php

Log4j 1.x

Log4j 1.x was declared EOL back in 2015.

https://logging.apache.org/log4j/1.2/

Along with 10 years of security updates to the following other projects present in your ancient jetty-hightide archive.

• objectweb asm 3.1
• javax.annotations 1.1
• derby 10.6
• javax.activation 1.1
• glassfish mail 1.4
• sun el 1.0
• javax.el 2.1
• jstl 1.2
• jsp 2.1
• glassfish jasper 2.1
• glassfish taglibs 1.2
• eclipse jdt 3.7
• javax.transactions 1.1
• atomikos 3.7
• jna 3.2.2
• setuid native 7.6
• spring framework 2.5
• cometd 2.4.0.RC3
• jackson 1.9
• log4j 1.2
• bayeux 2.4
• dojo 1.7
• dojox 1.7
• dojiit 1.7
• jquery 1.6

Every one of the items listed above have security vulnerabilities associated with them in the past 10 years, every one of them need to be evaluated. (many of the vulnerabilities are actually quite severe, on par with the log4j one you are specifically chasing)