This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
Remedy AR System Server
Remedy AR System Server with Jetty 9.4.9.v20180320 (ARS 9.1.04)
When Tenable Nessus scan hits on jetty port the ARS CPU usage increases 25% or more affecting the whole application.
Java vulnerability in Jetty 9.4.9.v20180320 addressed in Jetty 9.4.11.v20180605
Please be aware that this is not an AR Server product issue but a Java issue with Jetty 9.4.9.v20180320 which has has been released with JVM Selector NIO Bug.
Some information available can be read here: https://github.com/eclipse/jetty.project/issues/2205
Jetty team has implemented a workaround in jetty 9.4.11 by changing the implementation for the selector thread implementation for the hung being observed.
The new Jetty 9.4.11.v20180605 which fixes this vulnerability is part of AR Server version 18.05 (9.1.05) and higher.
The way to proceed to address this behavior if ARS 9.1.04 is being used:
1- Upgrade the AR system platform to latest version to have also Jetty updated.
2- Exclude from any security the directories where Jetty is located.
Refer to the following documentation: https://docs.bmc.com/docs/cloudlifecyclemanagement/46/configuring-security-settings-669197550.html