Details
-
Type: Task
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
-
Fix Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
Description
The versions of jQuery and jQuery UI that we use are 1.12.4 and 1.8.24, respectively. We stopped upgrading to newer versions of these libraries years ago for a number of reasons, which include the many custom fixes that we have added to that code to work with our components and to preserve the stability that ICEfaces has offered for many years. We have also updated these libraries with security fixes for vulnerabilities that have been found. Those vulnerabilities have been reported in the following wiki article:
http://www.icesoft.org/wiki/pages/viewpage.action?pageId=16711682
This JIRA is to find any new vulnerabilities that have been reported in these libraries and to apply the respective security fixes to the custom versions that we keep of these libraries. Any new fixes should be reported in the wiki article above.
More specific details about these vulnerabilities can be found on these pages:
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
https://stack.watch/product/jquery/
https://security.snyk.io/package/npm/jquery
https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html
https://stack.watch/product/jqueryui/jquery-ui/
https://security.snyk.io/package/npm/jquery-ui
http://www.icesoft.org/wiki/pages/viewpage.action?pageId=16711682
This JIRA is to find any new vulnerabilities that have been reported in these libraries and to apply the respective security fixes to the custom versions that we keep of these libraries. Any new fixes should be reported in the wiki article above.
More specific details about these vulnerabilities can be found on these pages:
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
https://stack.watch/product/jquery/
https://security.snyk.io/package/npm/jquery
https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html
https://stack.watch/product/jqueryui/jquery-ui/
https://security.snyk.io/package/npm/jquery-ui
The resources referenced in the description were reviewed carefully, and there are no new vulnerabilities that have been found in jQuery since the last time that we patched our jQuery code with security fixes. As for jQuery UI, 4 new vulnerabilities have been found since the last time that we patched out jQuery UI code with security fixes. One of those vulnerabilities doesn't apply to our version of jQuery UI, because it's in a widget that our version doesn't have and that we don't use (checkboxradio). The other three vulnerabilities are applicable to our version of jQuery UI and their respective fixes were applied to our code. These are the vulnerabilities that were fixed:
CVE-2021-41182
CVE-2021-41184
These two vulnerabilities were fixed by forcing the interpretation of certain configuration options as CSS selectors (by using the $.find() function applied to the 'document' object). One of the was in the $.position() function and the other was in the DatePicker widget. A similar function in our TimePicker add-on was fixed as well.
CVE-2021-41183
These vulnerabilities had to do with the rendering of the DatePicker widget. They were fixed by forcing the interpretation of text inside HTML nodes as plain text and not evaluating it so as to interpret it as HTML markup.
These were very unlikely XSS vulnerabilities in ICEfaces anyway, because of the fundamental approach of ICEfaces to render the markup in the server and pass it on to the client. Moreover, all input from the user is validated and sanitized.