Hi all
Security scans of our ipa server report a vulnerability “JQuery 1.2 < 3.5.0 XSS”.
The recommended fix is to upgrade jQuery to version 3.5.0 or later.
We are running ipa-server 4.6.4 on OEL 7.2.
The newest ipa-server version in our yum repository is 4.6.6
Hunting around on the server finds multiple instances and versions of jQuery.js which seem to come from ipa. e.g.
/usr/share/doc/pki-base/html/_static/jquery.js 1.4.2
/usr/share/pki/server/webapps/pki/js/jquery.js 1.10.2
/usr/share/ipa/ui/js/libs/jquery.js 2.0.3
So how do we mitigate this vulnerability?
Googling with jQuery and IPA indicates that ipa 4.8.7 comes with jQuery 3.4.1 with backported fixes from 3.5.0 (“. . . A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility with Bootstrap 3.4.1 which we currently use…”).
• 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
• 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
So would upgrading ipa-server to 4.6.6 contain this fix? Or do I have to upgrade to 4.8.7 or later (which presumably implies upgrading Linux as well)?
Cheers
Chris