Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

Penetration testing on AEM as a Cloud Service identified two issues

Avatar

Level 3

When conducting penetration testing on our company's Adobe as a Cloud Service, we identified two vulnerabilities, CVE-2019-11358 and CVE-2020-23064.

I observed that CVE-2019-11358 has been addressed as per the README.md file located at /libs/clientlibs/granite/jquery in CRXDE.

However, there is no record of a fix for CVE-2020-23064 in the official security patch reports.

 

Additionally, despite our project not utilizing jQuery and instead employing React for development,

we suspect that the detection of this vulnerability is linked to system references within AEM (Adobe Experience Manager).

 

CVE-2019-11358:
https://nvd.nist.gov/vuln/detail/CVE-2019-11358

CVE-2020-23064:
https://nvd.nist.gov/vuln/detail/CVE-2020-23064

 

Could you provide records or documentation confirming the resolution of these two issues through the respective fixes?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @reno1 
I am not 100% sure, I would recommend to check with Adobe and let them know the intentions, Generally Adobe got these kind of request and they have from past changes knowledge/experience.

They can better guide if it is recommended to change jquery and feasible or not in AEMaaCS.



Arun Patidar

View solution in original post

4 Replies

Avatar

Community Advisor

Hi @reno1 
Please check the comments in the below thread for CVE-2019-11358

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-f... 

Adobe Support confirmed us they've already add the fixes for these issues in their product.

 

However no info available for CVE-2020-23064

 



Arun Patidar

Avatar

Level 3

The reply in this content mentions:

 

"Old post, but people still have the same question, and the 'solution' doesn't really solve the problem.

First, the out-of-the-box (OOTB) version of jQuery is an updated version of v1.12.4, and it already contains fixes for known vulnerabilities. So if you are looking to update jQuery simply to pass a security scan, then you should read this:

If you still want to use a newer version of jQuery, then the solution is simple.

  1. Create your own clientlib that contains the version of jQuery that you want.
  2. Set the 'categories' property of your clientlib to be "jquery."
  3. Set the 'replaces' property of your clientlib to be "/libs/clientlibs/granite/jquery."

The key point is to set the 'replaces' property; otherwise, you'll end up loading both the OOTB code and your own version.

 

Can this fix be applied to AEM as a Cloud Service? Does AEM's underlying system use jQuery? If I upgrade the version to 3.6.0, will it affect AEM's functionality?

Avatar

Level 3

Hi @arunpatidar, is the solution proposed above feasible for AEM as a Cloud Service?

Avatar

Correct answer by
Community Advisor

Hi @reno1 
I am not 100% sure, I would recommend to check with Adobe and let them know the intentions, Generally Adobe got these kind of request and they have from past changes knowledge/experience.

They can better guide if it is recommended to change jquery and feasible or not in AEMaaCS.



Arun Patidar