[BlueOnyx:26661] Re: jquery warning

Michael Stauber mstauber at blueonyx.it
Tue Dec 12 10:50:19 -05 2023 

Hi Tobias,

> a customer of ours has initiated a vulnerability scan of his website. An 
> outcome of this is a warning of a vulnerable Version of jQuery: 
> "jQueryJS 1.7.2". This version seems to be part of BlueOnyx itself.

Yes, the old Adminica GUI on BlueOnyx 5209R, 5210R and 5211R is using an 
older jQuery. As we're working on a newer GUI for 5211R (and early next 
year for 5210R) that uses more modern components this will eventually 
get addressed.

As for what those exact vulnerabilities are? All jQuery 1.7.2 
vulnerabilities boil down to Cross-site Scripting (XSS):

https://security.snyk.io/package/npm/jquery/1.7.2

Which is about to be expected. The net effect on a BlueOnyx itself is 
zero, though. For starters: Only logged in GUI users get to see pages 
with active jQery elements and a limited subset of jQuery scripts is 
then used to show/hide inactive and active GUI elements or to populate 
bar graphs, statistics and some limited elements with data.

The GUI itself doesn't allow external sources to be referenced and has 
active CSRF protection and additional XSS filtering.

So even if someone managed to trick a user into opening a link that 
contained an URL to within the GUI with a hand crafted payload? During 
login page that payload would be sanitized and removed. Even if the user 
used a vulnerable browser where active elements in one tab somehow 
affect the tab where the GUI is open? The XSS filter and CSRF would 
render that attempt useless.

Even if not (and that would be a long shot): The final step in the 
defense are the CODB ACLs and the input validation done by CCEd itself.

Bottom line: It's a well intended warning, but we have this mitigated on 
so many levels that it's not an issue.

> Short question: is it possible to update this to eliminate this warning?
Upgrading jQuery itself is a can of worms, as lots of the scripts the 
old Adminica GUI uses may not be compatible with newer jQuery versions 
and therefore would need updates as well. For 5209R with its fast 
approaching EOL this isn't worth the hassles.

For 5211R and 5210R we have the new Elmer GUI in development, which will 
address the issue by having a much newer jQuery.

In the meantime the best I can offer for all BlueOnyx versions: There 
are migration plugins that allow to use a newer jQuery and extend it 
with functions that were deprecated. That might address some compat 
issues between the newer jQuery and some older extensions.

If that doesn't work, I'll roll out a YUM update with a patched jQuery 
that fixes most of the XSS issues and reports a version number that 
automated scanners won't trip over backwards.

I'll look into this today.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list