Is there a fix pack for CVE-2019-11358

josiahh94050133

28-05-2019

We are hoping to address CVE -CVE-2019-11358 in the jQuery library provided with AEM.

In versions prior to 6.4, we would overlay /libs/clientlibs/granite/jquery and apply security patches based on recommendations from the jQuery team.

However, starting with 6.4, the /libs/clientlibs/granite nt:folder node has the granite:InternalArea mixin applied.

With that, we are no longer able to overlay jQuery and patch it ourselves per documentation here: Adobe Experience Manager Help | Sustainable Upgrades

"Internal (granite:InternalArea) - Defines a node as internal. Nodes classified as internal cannot be overlaid, inherited, or used directly. These nodes are meant only for internal functionality of AEM"

So we are dependent on Adobe releasing a patched version of the jQuery clientlib, with a fix for the jQuery.extend method.

We are going to override the method in our own scripts to get around the issue, but we are hoping there is a CFP or Service Pack with an update to the jQuery client library.

Accepted Solutions (1)

Accepted Solutions (1)

aemmarc

Employee

29-05-2019

Unlikely yet. But please feel free to log a Daycare ticket.

AEM doesn't use a single version of jQuery unfortunately, everything seems to bundle up it's own version so there are several versions throughout the product. In AEM 6.4.4 (via GRANITE-19902) jQuery for ContextHub was brought up to 3.2.1 from 1.11.0 !! .

So in 6.4.4 it should be jquery 3.2.1 in most of the product.

So if CVE-2019-11358 affects 3.4.0 and earlier, then AEM is likely susceptible to this vector at this time.

Answers (0)