Question Weak spot

Hi everybody,

Win10, OE11.7.15

Please forgive if this thread is mis-posted, but I have no clue at all in which forum it would fit.

At a customer we have to work together with another company, which is responsable for overall system-security, but these guys are not very cooperative.
Last friday they sent as a report, saying simply that they have found some "weak spots" on the server where our application is runing and we shall fix it.

I don't understand this report at all, so I attached it, hoping that somebody of you might be able to tell me what this is about.

TIA, Wolf
 

Attachments

forgot to mention: there is only a database-server runing (OE WorkGroup RDBMS & Client Networking), no application-server.
When we installed openedge, we just accepted the defaults and installed all.
 
Are you also responsible for managing the server?

They seem to want someone (you? or whoever manages the server or network) to setup some firewall rules to limit who can talk to services. That seems reasonable. Unless this server is public facing and needs to accept requests from everyone. If the later then just tell them that the business requirement is to accept requests from everyone.

Then there is a bunch of stuff about Eclipse and Jetty... If this is a production server I'm not sure why Eclipse would even be installed so my first impulse would be to uninstall it.
 
Then there is a bunch of stuff about Eclipse and Jetty... If this is a production server I'm not sure why Eclipse would even be installed so my first impulse would be to uninstall it.
Eclipse Jetty is the web server used by OpenEdge Explorer in 11.7. In 12.2 it became just another PASOE instance. It's port, 9090, should not be open to everyone.

As to updating Jetty... 11.7's retirement date is in April 2025 - so this may be the time to upgrade to 12.2 or 12.8.
 
thanks to both of you for your explanations.
I will discuss it wednesday with the rest of our team. We are using OpenEdge Explorer butwe are not using Jetty.
Migth be easiest solution to just uninstall Eclipse.
 
Stefan is pointing out that "Eclipse Jetty" is used by OpenEdge Explorer. And you very likely are using that. So it is more a matter of needing to restrict access to that port because, otherwise, anyone can fire up OpenEdge Explorer and wreak havoc on your systems. (Instead of just a few pre-approved people...) Especially if your OEE password hygiene is "typical".

You may have to explain to the security people that Eclipse Jetty is embedded in OpenEdge and that you cannot update it except by updating OpenEdge. I have no idea if 11.7.18 addresses the issues that they identified. And, as Stefan also pointed out, the real path forward is 12.8.
 
Thanks Tom for this input.
Some weeks ago we (as everybody I guess) got a Progress-Alert-Message about the secutiry-issues and the recommendation to upgrade to OE11.7.18/19. We forwarded this alert to the customer but nobody was interested. So that's the point we will start the discussion with them.
As I mentioned in my first post: these guys are not very cooperative....
 
Back
Top