updates/patches & other clarifications on  jQuery

sunhux
sunhux used Ask the Experts™
on
jQuery (Javascript libraries) are bundled with a number of our
softwares (Weblogic, a supplier app, mobile app): quite a number
of XSS vulnerabilities were found by our pentester.

Q1:
One app vendor replied that updating (ie patching) or upgrading
jQuery may destabilize their app?  So are we supposed to wait
for these vendors to release their next release app so as to
bundle in newer & patched jQuery or we can get the patches/
updates from Oracle & just update/patch it??   Or by doing so,
we'll lose the support of the app vendor?

Q2:
In the case of Weblogic 12.2.1.3, jQuery ver 3.2 is bundled.
Since both Weblogic & jQuery are from Oracle, is it supported
if we just update jQuery (or there's no patch/update ie we
just have to upgrade jQuery to ver 3.3 or 3.4)?

Q3:
Is jQuery vulnerabilities the same as javascript (read at Oracle
site that jQuery is actually  javascript library) vulnerabilities?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
Jquery is a JavaScript library maintained by the jQuery team (not Oracle).

There are known vulnerabilities with 1.12 but if you are using 3.x you should be fine.

Q2 Since both Weblogic & jQuery are from Oracle
jQuery is not from Oracle. You should be able to upgrade.

Jquery now follows semantic versioning which means that anything the 3.x releases has to be backwardly compatible. Upgrading 3.2 to 3.4 should not introduce anything that breaks your existing code.

Q3: jQuery IS JavaScript - it is just a library of JavaScript functions.

Author

Commented:
re Q2: appears there are typos in the sentence ie both WL n jquery are from Oracle  or  you meant  WL n javascript are fr Oracle?

Author

Commented:
so vulnerabilities are fixed in javascripts themselves by Oracle n jQuery team dont fix them?   any idea which versions of javascripts are used for the 2.x n 3.x  jQuery?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
is there any patch at all for jquery (as I can't seem to find any from googling)?
Or it's just javascript patches to remediate jquery's XSS vulnerabilities?
Can point me to a couple of links for these patches?
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
Just update to the next version. Why do you need a patch?

Author

Commented:
>Why do you need a patch?
Was told by one of our apps vendor that we update from 1.11.x
& 1.12.x to  3.x, their apps may break, thus enquiring if there's
such thing as patch.

I've also noted a number of javascript  'virtual patches' in our
IPS : the vendor would not want to update to 3.x so I'll have
to explore alternative ways of mitigation
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
There are various posts that describe how you can patch 1.12 manually. jQuery won't do it due to the breaking change requirement.

The new versions don't require a patch (unless you are on 2.x) - if you are on 3 then you can simply update your library to the latest.

Author

Commented:
>There are various posts that describe how you can patch 1.12 manually.
Can you share some of the posts on patching 1.12, 1.11, 2.x ?

A couple of our apps vendor are not prepared to upgrade to 3.X
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
Google jquery 1.12 xss pathc

Here is one article
https://jonlabelle.com/snippets/view/javascript/jquery-1124-xss-patch

A couple of our apps vendor are not prepared to upgrade to 3.X
Then you are stuck with 1.12 and manually patching it.

I have been through this a couple of times with WP sites failing their PCI-DSS - there is not much to be done other than upgrading or manually patching.

Author

Commented:
The above link mentions:
"Cross-site Scripting (XSS) Vulnerability Affecting jquery package, versions <3.0.0-beta1 >1.12.3 || <1.12.0 >=1.4.0:"
So the above XSS fix is applicable for jquery versions 1.12.4, 1.5.2, 1.11.3, 1.6.4, 2.1.1 ?


" apply the patch manually in your application code  just after loading jQuery"
Can provide a sample of how an application code loading jQuery looks like?
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
jQuery is just a javascript library - you included it with <script> tags like so.

<script src="URL_TO_YOUR_JQUERY_FILE"></script>

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial