[BlueOnyx:26661] Re: jquery warning
Michael Stauber
mstauber at blueonyx.it
Tue Dec 12 10:50:19 -05 2023
Hi Tobias,
> a customer of ours has initiated a vulnerability scan of his website. An
> outcome of this is a warning of a vulnerable Version of jQuery:
> "jQueryJS 1.7.2". This version seems to be part of BlueOnyx itself.
Yes, the old Adminica GUI on BlueOnyx 5209R, 5210R and 5211R is using an
older jQuery. As we're working on a newer GUI for 5211R (and early next
year for 5210R) that uses more modern components this will eventually
get addressed.
As for what those exact vulnerabilities are? All jQuery 1.7.2
vulnerabilities boil down to Cross-site Scripting (XSS):
https://security.snyk.io/package/npm/jquery/1.7.2
Which is about to be expected. The net effect on a BlueOnyx itself is
zero, though. For starters: Only logged in GUI users get to see pages
with active jQery elements and a limited subset of jQuery scripts is
then used to show/hide inactive and active GUI elements or to populate
bar graphs, statistics and some limited elements with data.
The GUI itself doesn't allow external sources to be referenced and has
active CSRF protection and additional XSS filtering.
So even if someone managed to trick a user into opening a link that
contained an URL to within the GUI with a hand crafted payload? During
login page that payload would be sanitized and removed. Even if the user
used a vulnerable browser where active elements in one tab somehow
affect the tab where the GUI is open? The XSS filter and CSRF would
render that attempt useless.
Even if not (and that would be a long shot): The final step in the
defense are the CODB ACLs and the input validation done by CCEd itself.
Bottom line: It's a well intended warning, but we have this mitigated on
so many levels that it's not an issue.
> Short question: is it possible to update this to eliminate this warning?
Upgrading jQuery itself is a can of worms, as lots of the scripts the
old Adminica GUI uses may not be compatible with newer jQuery versions
and therefore would need updates as well. For 5209R with its fast
approaching EOL this isn't worth the hassles.
For 5211R and 5210R we have the new Elmer GUI in development, which will
address the issue by having a much newer jQuery.
In the meantime the best I can offer for all BlueOnyx versions: There
are migration plugins that allow to use a newer jQuery and extend it
with functions that were deprecated. That might address some compat
issues between the newer jQuery and some older extensions.
If that doesn't work, I'll roll out a YUM update with a patched jQuery
that fixes most of the XSS issues and reports a version number that
automated scanners won't trip over backwards.
I'll look into this today.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list