Is there a fix pack for CVE-2019-11358

Avatar

Avatar
Validate 1
Level 2
josiahh94050133
Level 2

Likes

0 likes

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
josiahh94050133
Level 2

Likes

0 likes

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Affirm 1
View profile
josiahh94050133
Level 2

28-05-2019

We are hoping to address CVE -CVE-2019-11358 in the jQuery library provided with AEM.

In versions prior to 6.4, we would overlay /libs/clientlibs/granite/jquery and apply security patches based on recommendations from the jQuery team.

However, starting with 6.4, the /libs/clientlibs/granite nt:folder node has the granite:InternalArea mixin applied.

With that, we are no longer able to overlay jQuery and patch it ourselves per documentation here: Adobe Experience Manager Help | Sustainable Upgrades

"Internal (granite:InternalArea) - Defines a node as internal. Nodes classified as internal cannot be overlaid, inherited, or used directly. These nodes are meant only for internal functionality of AEM"

So we are dependent on Adobe releasing a patched version of the jQuery clientlib, with a fix for the jQuery.extend method.

We are going to override the method in our own scripts to get around the issue, but we are hoping there is a CFP or Service Pack with an update to the jQuery client library.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
aemmarc
Employee

29-05-2019

Unlikely yet. But please feel free to log a Daycare ticket.

AEM doesn't use a single version of jQuery unfortunately, everything seems to bundle up it's own version so there are several versions throughout the product. In AEM 6.4.4 (via GRANITE-19902) jQuery for ContextHub was brought up to 3.2.1 from 1.11.0 !! .

So in 6.4.4 it should be jquery 3.2.1 in most of the product.

So if CVE-2019-11358 affects 3.4.0 and earlier, then AEM is likely susceptible to this vector at this time.

Answers (0)