ICEfaces
  1. ICEfaces
  2. ICE-11564

Update our jQuery and jQuery UI code with new security fixes

    Details

    • Type: Task Task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
    • Component/s: ACE-Components
    • Labels:
      None
    • Environment:
      Any

      Description

      The versions of jQuery and jQuery UI that we use are 1.12.4 and 1.8.24, respectively. We stopped upgrading to newer versions of these libraries years ago for a number of reasons, which include the many custom fixes that we have added to that code to work with our components and to preserve the stability that ICEfaces has offered for many years. We have also updated these libraries with security fixes for vulnerabilities that have been found. Those vulnerabilities have been reported in the following wiki article:

      http://www.icesoft.org/wiki/pages/viewpage.action?pageId=16711682

      This JIRA is to find any new vulnerabilities that have been reported in these libraries and to apply the respective security fixes to the custom versions that we keep of these libraries. Any new fixes should be reported in the wiki article above.

      More specific details about these vulnerabilities can be found on these pages:

      https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
      https://stack.watch/product/jquery/
      https://security.snyk.io/package/npm/jquery

      https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html
      https://stack.watch/product/jqueryui/jquery-ui/
      https://security.snyk.io/package/npm/jquery-ui

        Activity

        Hide
        Arturo Zambrano added a comment -

        The resources referenced in the description were reviewed carefully, and there are no new vulnerabilities that have been found in jQuery since the last time that we patched our jQuery code with security fixes. As for jQuery UI, 4 new vulnerabilities have been found since the last time that we patched out jQuery UI code with security fixes. One of those vulnerabilities doesn't apply to our version of jQuery UI, because it's in a widget that our version doesn't have and that we don't use (checkboxradio). The other three vulnerabilities are applicable to our version of jQuery UI and their respective fixes were applied to our code. These are the vulnerabilities that were fixed:

        CVE-2021-41182
        CVE-2021-41184
        These two vulnerabilities were fixed by forcing the interpretation of certain configuration options as CSS selectors (by using the $.find() function applied to the 'document' object). One of the was in the $.position() function and the other was in the DatePicker widget. A similar function in our TimePicker add-on was fixed as well.

        CVE-2021-41183
        These vulnerabilities had to do with the rendering of the DatePicker widget. They were fixed by forcing the interpretation of text inside HTML nodes as plain text and not evaluating it so as to interpret it as HTML markup.

        These were very unlikely XSS vulnerabilities in ICEfaces anyway, because of the fundamental approach of ICEfaces to render the markup in the server and pass it on to the client. Moreover, all input from the user is validated and sanitized.

        Show
        Arturo Zambrano added a comment - The resources referenced in the description were reviewed carefully, and there are no new vulnerabilities that have been found in jQuery since the last time that we patched our jQuery code with security fixes. As for jQuery UI, 4 new vulnerabilities have been found since the last time that we patched out jQuery UI code with security fixes. One of those vulnerabilities doesn't apply to our version of jQuery UI, because it's in a widget that our version doesn't have and that we don't use (checkboxradio). The other three vulnerabilities are applicable to our version of jQuery UI and their respective fixes were applied to our code. These are the vulnerabilities that were fixed: CVE-2021-41182 CVE-2021-41184 These two vulnerabilities were fixed by forcing the interpretation of certain configuration options as CSS selectors (by using the $.find() function applied to the 'document' object). One of the was in the $.position() function and the other was in the DatePicker widget. A similar function in our TimePicker add-on was fixed as well. CVE-2021-41183 These vulnerabilities had to do with the rendering of the DatePicker widget. They were fixed by forcing the interpretation of text inside HTML nodes as plain text and not evaluating it so as to interpret it as HTML markup. These were very unlikely XSS vulnerabilities in ICEfaces anyway, because of the fundamental approach of ICEfaces to render the markup in the server and pass it on to the client. Moreover, all input from the user is validated and sanitized.
        Show
        Arturo Zambrano added a comment - More related information can be found in the following URLs: jQuery https://security.snyk.io/package/npm/jquery/1.12.4 https://stack.watch/product/jquery/ https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html jQuery UI https://jqueryui.com/changelog/1.13.0/ https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 https://github.com/jquery/jquery-ui/commit/afe20b79a64266e64011f34b26a30b3d1c62fd47 https://stack.watch/product/jqueryui/jquery-ui/ https://security.snyk.io/vuln/SNYK-JS-JQUERYUI-1767175 https://www.cvedetails.com/vulnerability-list/vendor_id-14952/Jqueryui.html

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: