Expand my Community achievements bar.

SOLVED

PEN test vulnerabilities for jquery used by AEM

Avatar

Level 7

 

Hi folks,

 

Our PEN testers are saying there are  2 new Medium vulnerabilities in the 1.12.4 version of JQuery .

https://snyk.io/test/npm/jquery/1.12.4

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Does the service pack 6 or 7 contain a patched version of JQuery that include fixes for all of the latest vulnerabilities ? 

BTW.  Are we allowed to change the version of jquery ourselves ?  I always thought we weren't allowed to change it but I have seen tutorials explaining how to do it.

https://aem4beginner.blogspot.com/overriding-jquery-version-in-cq

 

I'm a bit puzzled. Anybody know the answer ?

 

thanks

Fiona

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

@fionas76543059,

Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.

Example:

BrianKasingli_0-1613747560534.png

 

 

Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency

BrianKasingli_2-1613747481087.png

 

View solution in original post

13 Replies

Avatar

Correct answer by
Community Advisor

@fionas76543059,

Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.

Example:

BrianKasingli_0-1613747560534.png

 

 

Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency

BrianKasingli_2-1613747481087.png

 

Avatar

Level 7
Thanks Brian, Is it the case that the CQ version of jQuery is used only internally in the Author instance then ? So we don't have to worry about it with the published public site.?

Avatar

Community Advisor
Yes, just make sure you are not referencing to the out of the box cq.jquery client library category in your page template, and instead, reference the jquery.3.1.1 custom category instead. You can view the page as "publish mode" and review the .js files that are being references in the DOM to ensure that the correct client library is being added on the page.

Avatar

Level 7

Hmmmm... I still get old granite jquery on my publish page (as well as the 3.5.1 I added to my clientlibs) , not sure where that old one is coming from. The guy in the blog above suggests that you can replace the granite jquery (if you test plenty afterwards). What do you think of that idea.? thanks Fiona

 

Thanks Brian, FYI Below is a screenshot of the blog. Also I am showing the bunch of scripts that gets pulled into every page. I had a look at some of it and it is CQ Day stuff to do with "picturefill" and utility functions for Adobe Forms that we also use. They must pull in the granite jquery.  thanks Fiona.

 

    
    
<link rel="stylesheet" href="/etc.clientlibs/foundation/clientlibs/main.min.<hash>.css" type="text/css">
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/jquery.min.<has>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/shared.min....js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/main.min...js"></script>

 

question4.png

Avatar

Community Advisor
fionas, that is a 404 page in the blog you sent above. If your template is calling the right client libraries then the old jquery version should not exist. you will need to investigate and understand all of your client libraries being referenced to the page, and ensure that no body is referencing to the "dependency" set with cq.jquery.

Avatar

Employee Advisor

Hi @BrianKasingli , 

 

In my project also security  team has reported similar vulnerability issue with 1.12.4 version of JQuery and they have mentioned the file location /etc.clientlibs/clientlibs/granite/jquery.js .

But if we take a closure look into CRXDE ,then we could see actual file location is /libs/clientlibs/granite/jquery/source/1.12.4/jquery-1.12.4.js as shown below -

 

DEBAL_DAS_0-1656393718842.png

 

I feel in this case it would be better to raise Adobe support ticket to highlight the issue instead of overlaying and upgrade the jquery version as /libs/clientlibs/granite/jquery comes under/libs/clientlibs/granite [granite:InternalArea]. Please correct my understanding here.

 

@kautuk_sahni , Please suggest and correct my understanding. I am using AEM 6.5.10.

Avatar

Level 1

Hi @DEBAL_DAS, @All

 

Did you find any fix or solution to this issue. 

Please share if you have any suggestion to resolve the issue.

I appreciate your help. Thanks

 

Avatar

Level 4

any update on this? We have the same issue in our project.

Avatar

Level 3

Hi all,

Please confirm how this was actioned since we are in the same boat on AEM 6.5.9.0?

CVEs were reported on the version of Jquery used and while we are looking into upgrading it or overriding it ,wanted to know how anyone of you solved recently since the accepted response is a bit dated.Any service packs need to be installed or custom override is the way to go? 

Appreciate responses on how it was mitigated?

 

Thanks in advance!

Avatar

Level 4

@kartheekd203042 , Adobe Support confirmed us they've already add the fixes for these issues in their product.

Avatar

Level 1

Old post, but people still have the same question, and the "solution" doesn't really solve the problem.

First though, the OOTB version of jQuery is an updated version of v1.12.4 it already contains fixes for the known vulnerabilities.  So if you are looking to update jQuery simply to pass a security scan, then you should read this:

https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-21173.html

If you still want to use a newer version of jQuery, then the solution is simple.

Create your own clientlib that contains the version of jQuery that you want.
Set the 'categories' property of your clientlib to be "jquery".
Set the 'replaces' property of your clientlib to be "/libs/clientlibs/granite/jquery".

simonc39079524_0-1702642841313.png


The key point is to set the 'replaces' property, otherwise you'll end up loading both the OOTB code and your own version.



Avatar

Level 5

Adobe says this about this jQuery version; "AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues."

 

Ref: General Release Notes for Adobe Experience Manager 6.5 | Adobe Experience Manager

Avatar

Level 1

After testing all the approaches mentioned here, I wonder why there are no more disussion, nothing that really concludes the issue is menioned here.

 

Yes, the  answer marked as correct helps to use a different version, however, during edition mode, the jquery version used is the default one otherwise (when forcing to use a different version, for instance version 4) the component dialog will not open.

 

So, being that the link mentioned here from official docs for aem 6.5 indicates that the version used contains fixes to vulnerabilities for that default jquery version used as default should make us use that version without being worried about it? 

 

@DEBAL_DAS did you solve the issue so the security team was satisfied? did you raise a ticket with adobe?

 

As usual broken links like this one:

https://helpx.adobe.com/in/experience-manager/kb/resolve-jquery-library-conflicts-aem6.html

are refered in other pages like https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/jquery-conflict-in-aem-6-4...

 

were you guys able to fix the issue? you care only about the publish view? not the editor ?

Thanks