ICEfaces
  1. ICEfaces
  2. ICE-11564

Update our jQuery and jQuery UI code with new security fixes

          Details

          • Type: Task Task
          • Status: Resolved
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
          • Fix Version/s: EE-4.3.0.GA_P06, EE-3.3.0.GA_P12
          • Component/s: ACE-Components
          • Labels:
            None
          • Environment:
            Any

            Description

            The versions of jQuery and jQuery UI that we use are 1.12.4 and 1.8.24, respectively. We stopped upgrading to newer versions of these libraries years ago for a number of reasons, which include the many custom fixes that we have added to that code to work with our components and to preserve the stability that ICEfaces has offered for many years. We have also updated these libraries with security fixes for vulnerabilities that have been found. Those vulnerabilities have been reported in the following wiki article:

            http://www.icesoft.org/wiki/pages/viewpage.action?pageId=16711682

            This JIRA is to find any new vulnerabilities that have been reported in these libraries and to apply the respective security fixes to the custom versions that we keep of these libraries. Any new fixes should be reported in the wiki article above.

            More specific details about these vulnerabilities can be found on these pages:

            https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
            https://stack.watch/product/jquery/
            https://security.snyk.io/package/npm/jquery

            https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html
            https://stack.watch/product/jqueryui/jquery-ui/
            https://security.snyk.io/package/npm/jquery-ui

              Activity

              Descending order - Click to sort in ascending order
              Hide
              Permalink
              Arturo Zambrano added a comment -

              More related information can be found in the following URLs:

              jQuery

              https://security.snyk.io/package/npm/jquery/1.12.4

              https://stack.watch/product/jquery/

              https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html

              jQuery UI

              https://jqueryui.com/changelog/1.13.0/

              https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce

              https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280

              https://github.com/jquery/jquery-ui/commit/afe20b79a64266e64011f34b26a30b3d1c62fd47

              https://stack.watch/product/jqueryui/jquery-ui/

              https://security.snyk.io/vuln/SNYK-JS-JQUERYUI-1767175

              https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html

              Show
              Arturo Zambrano added a comment - More related information can be found in the following URLs: jQuery https://security.snyk.io/package/npm/jquery/1.12.4 https://stack.watch/product/jquery/ https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html jQuery UI https://jqueryui.com/changelog/1.13.0/ https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 https://github.com/jquery/jquery-ui/commit/afe20b79a64266e64011f34b26a30b3d1c62fd47 https://stack.watch/product/jqueryui/jquery-ui/ https://security.snyk.io/vuln/SNYK-JS-JQUERYUI-1767175 https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html
              Hide
              Permalink
              Arturo Zambrano added a comment -

              The resources referenced in the description were reviewed carefully, and there are no new vulnerabilities that have been found in jQuery since the last time that we patched our jQuery code with security fixes. As for jQuery UI, 4 new vulnerabilities have been found since the last time that we patched out jQuery UI code with security fixes. One of those vulnerabilities doesn't apply to our version of jQuery UI, because it's in a widget that our version doesn't have and that we don't use (checkboxradio). The other three vulnerabilities are applicable to our version of jQuery UI and their respective fixes were applied to our code. These are the vulnerabilities that were fixed:

              CVE-2021-41182
              CVE-2021-41184
              These two vulnerabilities were fixed by forcing the interpretation of certain configuration options as CSS selectors (by using the $.find() function applied to the 'document' object). One of the was in the $.position() function and the other was in the DatePicker widget. A similar function in our TimePicker add-on was fixed as well.

              CVE-2021-41183
              These vulnerabilities had to do with the rendering of the DatePicker widget. They were fixed by forcing the interpretation of text inside HTML nodes as plain text and not evaluating it so as to interpret it as HTML markup.

              These were very unlikely XSS vulnerabilities in ICEfaces anyway, because of the fundamental approach of ICEfaces to render the markup in the server and pass it on to the client. Moreover, all input from the user is validated and sanitized.

              Show
              Arturo Zambrano added a comment - The resources referenced in the description were reviewed carefully, and there are no new vulnerabilities that have been found in jQuery since the last time that we patched our jQuery code with security fixes. As for jQuery UI, 4 new vulnerabilities have been found since the last time that we patched out jQuery UI code with security fixes. One of those vulnerabilities doesn't apply to our version of jQuery UI, because it's in a widget that our version doesn't have and that we don't use (checkboxradio). The other three vulnerabilities are applicable to our version of jQuery UI and their respective fixes were applied to our code. These are the vulnerabilities that were fixed: CVE-2021-41182 CVE-2021-41184 These two vulnerabilities were fixed by forcing the interpretation of certain configuration options as CSS selectors (by using the $.find() function applied to the 'document' object). One of the was in the $.position() function and the other was in the DatePicker widget. A similar function in our TimePicker add-on was fixed as well. CVE-2021-41183 These vulnerabilities had to do with the rendering of the DatePicker widget. They were fixed by forcing the interpretation of text inside HTML nodes as plain text and not evaluating it so as to interpret it as HTML markup. These were very unlikely XSS vulnerabilities in ICEfaces anyway, because of the fundamental approach of ICEfaces to render the markup in the server and pass it on to the client. Moreover, all input from the user is validated and sanitized.

                People

                • Assignee:
                  Arturo Zambrano
                  Reporter:
                  Arturo Zambrano
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: