sunhux
asked on
updates/patches & other clarifications on jQuery
jQuery (Javascript libraries) are bundled with a number of our
softwares (Weblogic, a supplier app, mobile app): quite a number
of XSS vulnerabilities were found by our pentester.
Q1:
One app vendor replied that updating (ie patching) or upgrading
jQuery may destabilize their app? So are we supposed to wait
for these vendors to release their next release app so as to
bundle in newer & patched jQuery or we can get the patches/
updates from Oracle & just update/patch it?? Or by doing so,
we'll lose the support of the app vendor?
Q2:
In the case of Weblogic 12.2.1.3, jQuery ver 3.2 is bundled.
Since both Weblogic & jQuery are from Oracle, is it supported
if we just update jQuery (or there's no patch/update ie we
just have to upgrade jQuery to ver 3.3 or 3.4)?
Q3:
Is jQuery vulnerabilities the same as javascript (read at Oracle
site that jQuery is actually javascript library) vulnerabilities?
softwares (Weblogic, a supplier app, mobile app): quite a number
of XSS vulnerabilities were found by our pentester.
Q1:
One app vendor replied that updating (ie patching) or upgrading
jQuery may destabilize their app? So are we supposed to wait
for these vendors to release their next release app so as to
bundle in newer & patched jQuery or we can get the patches/
updates from Oracle & just update/patch it?? Or by doing so,
we'll lose the support of the app vendor?
Q2:
In the case of Weblogic 12.2.1.3, jQuery ver 3.2 is bundled.
Since both Weblogic & jQuery are from Oracle, is it supported
if we just update jQuery (or there's no patch/update ie we
just have to upgrade jQuery to ver 3.3 or 3.4)?
Q3:
Is jQuery vulnerabilities the same as javascript (read at Oracle
site that jQuery is actually javascript library) vulnerabilities?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so vulnerabilities are fixed in javascripts themselves by Oracle n jQuery team dont fix them? any idea which versions of javascripts are used for the 2.x n 3.x jQuery?
ASKER
is there any patch at all for jquery (as I can't seem to find any from googling)?
Or it's just javascript patches to remediate jquery's XSS vulnerabilities?
Can point me to a couple of links for these patches?
Or it's just javascript patches to remediate jquery's XSS vulnerabilities?
Can point me to a couple of links for these patches?
Just update to the next version. Why do you need a patch?
ASKER
>Why do you need a patch?
Was told by one of our apps vendor that we update from 1.11.x
& 1.12.x to 3.x, their apps may break, thus enquiring if there's
such thing as patch.
I've also noted a number of javascript 'virtual patches' in our
IPS : the vendor would not want to update to 3.x so I'll have
to explore alternative ways of mitigation
Was told by one of our apps vendor that we update from 1.11.x
& 1.12.x to 3.x, their apps may break, thus enquiring if there's
such thing as patch.
I've also noted a number of javascript 'virtual patches' in our
IPS : the vendor would not want to update to 3.x so I'll have
to explore alternative ways of mitigation
There are various posts that describe how you can patch 1.12 manually. jQuery won't do it due to the breaking change requirement.
The new versions don't require a patch (unless you are on 2.x) - if you are on 3 then you can simply update your library to the latest.
The new versions don't require a patch (unless you are on 2.x) - if you are on 3 then you can simply update your library to the latest.
ASKER
>There are various posts that describe how you can patch 1.12 manually.
Can you share some of the posts on patching 1.12, 1.11, 2.x ?
A couple of our apps vendor are not prepared to upgrade to 3.X
Can you share some of the posts on patching 1.12, 1.11, 2.x ?
A couple of our apps vendor are not prepared to upgrade to 3.X
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The above link mentions:
"Cross-site Scripting (XSS) Vulnerability Affecting jquery package, versions <3.0.0-beta1 >1.12.3 || <1.12.0 >=1.4.0:"
So the above XSS fix is applicable for jquery versions 1.12.4, 1.5.2, 1.11.3, 1.6.4, 2.1.1 ?
" apply the patch manually in your application code just after loading jQuery"
Can provide a sample of how an application code loading jQuery looks like?
"Cross-site Scripting (XSS) Vulnerability Affecting jquery package, versions <3.0.0-beta1 >1.12.3 || <1.12.0 >=1.4.0:"
So the above XSS fix is applicable for jquery versions 1.12.4, 1.5.2, 1.11.3, 1.6.4, 2.1.1 ?
" apply the patch manually in your application code just after loading jQuery"
Can provide a sample of how an application code loading jQuery looks like?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER