Christopher Lamb via FreeIPA-users wrote:
Hi all Security scans of our ipa server report a vulnerability “JQuery 1.2 < 3.5.0 XSS”. The recommended fix is to upgrade jQuery to version 3.5.0 or later. We are running ipa-server 4.6.4 on OEL 7.2. The newest ipa-server version in our yum repository is 4.6.6 Hunting around on the server finds multiple instances and versions of jQuery.js which seem to come from ipa. e.g. /usr/share/doc/pki-base/html/_static/jquery.js 1.4.2 /usr/share/pki/server/webapps/pki/js/jquery.js 1.10.2 /usr/share/ipa/ui/js/libs/jquery.js 2.0.3 So how do we mitigate this vulnerability? Googling with jQuery and IPA indicates that ipa 4.8.7 comes with jQuery 3.4.1 with backported fixes from 3.5.0 (“. . . A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility with Bootstrap 3.4.1 which we currently use…”). https://www.freeipa.org/page/Releases/4.8.7 • 8284: Upgrade jQuery version to actual one Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1. • 8325: [WebUI] Fix htmlPrefilter issue in jQuery CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway. Issue 8325 indicates an IPA 4.6 patch. https://pagure.io/freeipa/issue/8325 So would upgrading ipa-server to 4.6.6 contain this fix? Or do I have to upgrade to 4.8.7 or later (which presumably implies upgrading Linux as well)?
The fix for CVE-2020-11022 is in RHEL 7.9 in ipa-4.6.8-4.el7. It still won't make your scanner happy as the fix was backported to jQuery 3.4.1.
I assume it will appear in OEL at some point but you might want to ask Oracle.
rob
On ke, 07 loka 2020, Christopher Lamb via FreeIPA-users wrote:
Hi all Security scans of our ipa server report a vulnerability “JQuery 1.2 < 3.5.0 XSS”. The recommended fix is to upgrade jQuery to version 3.5.0 or later. We are running ipa-server 4.6.4 on OEL 7.2. The newest ipa-server version in our yum repository is 4.6.6 Hunting around on the server finds multiple instances and versions of jQuery.js which seem to come from ipa. e.g. /usr/share/doc/pki-base/html/_static/jquery.js 1.4.2 /usr/share/pki/server/webapps/pki/js/jquery.js 1.10.2 /usr/share/ipa/ui/js/libs/jquery.js 2.0.3 So how do we mitigate this vulnerability? Googling with jQuery and IPA indicates that ipa 4.8.7 comes with jQuery 3.4.1 with backported fixes from 3.5.0 (“. . . A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility with Bootstrap 3.4.1 which we currently use…”). [1]https://www.freeipa.org/page/Releases/4.8.7 • 8284: Upgrade jQuery version to actual one Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1. • 8325: [WebUI] Fix htmlPrefilter issue in jQuery CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway. Issue 8325 indicates an IPA 4.6 patch. [2]https://pagure.io/freeipa/issue/8325 So would upgrading ipa-server to 4.6.6 contain this fix? Or do I have to upgrade to 4.8.7 or later (which presumably implies upgrading Linux as well)?
RHEL 7.9 is released already and it contains a rebase to FreeIPA 4.6.8 and few patches on top of that. ipa-server-4.6.8-5.el7 contains this patchset: https://access.redhat.com/errata/RHSA-2020:3936
freeipa-users@lists.fedorahosted.org