On ke, 07 loka 2020, Christopher Lamb via FreeIPA-users wrote:
Hi all
Security scans of our ipa server report a vulnerability “JQuery 1.2 <
3.5.0 XSS”.
The recommended fix is to upgrade jQuery to version 3.5.0 or later.
We are running ipa-server 4.6.4 on OEL 7.2.
The newest ipa-server version in our yum repository is 4.6.6
Hunting around on the server finds multiple instances and versions of
jQuery.js which seem to come from ipa. e.g.
/usr/share/doc/pki-base/html/_static/jquery.js 1.4.2
/usr/share/pki/server/webapps/pki/js/jquery.js 1.10.2
/usr/share/ipa/ui/js/libs/jquery.js 2.0.3
So how do we mitigate this vulnerability?
Googling with jQuery and IPA indicates that ipa 4.8.7 comes with jQuery
3.4.1 with backported fixes from 3.5.0 (“. . . A complete upgrade to
jQuery 3.5 is impossible at the moment due incompatibility with Bootstrap
3.4.1 which we currently use…”).
[
1]https://www.freeipa.org/page/Releases/4.8.7
• 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
• 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before
3.5.0, passing HTML from untrusted sources - even after sanitizing it - to
one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and
others) may execute untrusted code. FreeIPA is not allowing to pass
arbitrary code into affected jQuery path but we applied jQuery fix anyway.
Issue 8325 indicates an IPA 4.6 patch.
[2]https://pagure.io/freeipa/issue/8325
So would upgrading ipa-server to 4.6.6 contain this fix? Or do I have to
upgrade to 4.8.7 or later (which presumably implies upgrading Linux as
well)?
RHEL 7.9 is released already and it contains a rebase to FreeIPA 4.6.8
and few patches on top of that. ipa-server-4.6.8-5.el7 contains this
patchset:
https://access.redhat.com/errata/RHSA-2020:3936
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland