Remedy - Server - When Tenable Nessus scan hits on jetty port the ARS CPU usage increases 25% or more affecting the whole application

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    COMPONENT:

    AR System


    APPLIES TO:

    Remedy AR System Server with Jetty 9.4.9.v20180320 (ARS 9.1.04)



    PROBLEM:

    When Tenable Nessus scan hits on jetty port the ARS CPU usage increases 25% or more affecting the whole application.


    CAUSE:

    Java vulnerability in Jetty 9.4.9.v20180320 addressed in Jetty 9.4.11.v20180605


    SOLUTION:

    Please be aware that this is not an AR Server product issue but a Java issue with Jetty 9.4.9.v20180320 which has has been released with JVM Selector NIO Bug.
    Some information available can be read here: https://github.com/eclipse/jetty.project/issues/2205

    Jetty team has implemented a workaround in jetty 9.4.11 by changing the implementation for the selector thread implementation for the hung being observed.

    The new Jetty 9.4.11.v20180605 which fixes this vulnerability is part of AR Server version 18.05 (9.1.05) and higher.

    The way to proceed to address this behavior if ARS 9.1.04 is being used:
    1- Upgrade the AR system platform to latest version to have also Jetty updated.
    or
    2- Exclude from any security the directories where Jetty is located.
    Refer to the following documentation: https://docs.bmc.com/docs/cloudlifecyclemanagement/46/configuring-security-settings-669197550.html


    Article Number:

    000168982


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles