Vulnerable jQuery version

Components, Ajax Framework, Utilities and More.
sfmcadmin
Posts: 2
Joined: 08 Mar 2017, 20:28

08 Mar 2017, 20:42

We have an application built on primefaces 3.2 and our security team has notified us that it's using a vulnerable version of jQuery. In fact even if we were to jump to the top of your 6.x release chain the jQuery version still in use wouldn't satisfy our security team. From the posts I've seen it's not recommend to import another jQuery version as it'll conflict with the one packaged with primefaces. Is there any kind of solution you might recommend?

tandraschko
PrimeFaces Core Developer
Posts: 3137
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

09 Mar 2017, 12:19

You can replace the jquery file in the jar. For the future, it would be great to create a feature request, so we can upgrade it in PF 6.2. Also please note: PF still uses jQuery 1.x as we still need to support older browsers.
Always Bet On Prime (+ Extensions)!

Thomas Andraschko
PrimeFaces Developer | PrimeFaces Extensions Founder
Apache OpenWebBeans PMC | Apache DeltaSpike PMC | Apache MyFaces PMC

Personal Blog: http://tandraschko.blogspot.de/

sfmcadmin
Posts: 2
Joined: 08 Mar 2017, 20:28

17 Mar 2017, 15:02

Thanks for your response tandraschko.

We opened the primefaces jar and overwrote the jquery.js with the 3.1.1 version. We then found we also had to add jquery ui to the jquery.js file. We were able to compile and deploy but unfortunately are plagued with runtime errors...

I understand we're using a pretty old version of primefaces but this is a legacy application and we have no current roadmap to upgrade.

tandraschko
PrimeFaces Core Developer
Posts: 3137
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

17 Mar 2017, 17:27

using 3.x is currently impossible as the API has been changed and some plugins are incompatible
Always Bet On Prime (+ Extensions)!

Thomas Andraschko
PrimeFaces Developer | PrimeFaces Extensions Founder
Apache OpenWebBeans PMC | Apache DeltaSpike PMC | Apache MyFaces PMC

Personal Blog: http://tandraschko.blogspot.de/

Rajesh.Sampath
Posts: 2
Joined: 28 Mar 2017, 09:21

03 Apr 2017, 16:28

I am using Primefaces 5.2 in one of my project.But it is used JQuery 1.11.0 which has Cross-site scripting (XSS) vulnerability.
Can we upgarde the JQuery explictly.Is this advisable?. If its not, when PF will move from Jquery version 1.11.0 to 1.12.0.
For Your Reference : https://www.cvedetails.com/vulnerabilit ... .11.4.html
can we upgarde 1.12.x ?

Rajesh.Sampath
Posts: 2
Joined: 28 Mar 2017, 09:21

04 Apr 2017, 09:42

I am using Primefaces 5.2 in one of my project.But it is used JQuery 1.11.0 which has Cross-site scripting (XSS) vulnerability.
Can we upgarde the JQuery explictly.Is this advisable?. If its not, when PF will move from Jquery version 1.11.0 to 1.12.0.
For Your Reference : https://www.cvedetails.com/vulnerabilit ... .11.4.html

tandraschko
PrimeFaces Core Developer
Posts: 3137
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

05 Apr 2017, 12:05

We will upgrade to 1.12 if possible after the 6.1 release. It's to hot to do it now before the final release.
Always Bet On Prime (+ Extensions)!

Thomas Andraschko
PrimeFaces Developer | PrimeFaces Extensions Founder
Apache OpenWebBeans PMC | Apache DeltaSpike PMC | Apache MyFaces PMC

Personal Blog: http://tandraschko.blogspot.de/

kukeltje
Expert Member
Posts: 8444
Joined: 17 Jun 2010, 13:34
Location: Netherlands

05 Apr 2017, 17:01

Would be great if for the next version a 6.2-legacy would be introduced and a 6.2-new which includes jquery 3.x... Just to make sure PrimeFaces itself does not become 'legacy' ;-)
Ronald van Kuijk
______________________________
PrimeFaces 5.2, PrimeFaces plus 0.0.2 | JbossWildfly 8.1| Mojarra 2.2.8
Fedora 21, Firefox 'most recent'
Read the forum posting rules
Beginners: https://jsf.zeef.com/bauke.scholtz

tandraschko
PrimeFaces Core Developer
Posts: 3137
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

05 Apr 2017, 20:13

I recently talked with Cagatay about it.
The problem is the following:
- jQuery 3 doesn't support IE8 - currently is a good argument but i think the argument is not valid anymore in 1-2 years
Some companies still use IE8 and currently thats a good argument to use PrimeFaces instead e.g. PrimeNG
- The effort to be really jQuery 3 compatible is very big. I think the effort to migrate our own scripts are not so high but we also have many third party scripts....
Using a "migration plugin" could help but its no real solution. We would still need to fix those plugins or reinvent them later...
- Whats the exact benefit?
- Does the migration plugin / combat plugin fix all components? Really, if you have time, please try it!
Always Bet On Prime (+ Extensions)!

Thomas Andraschko
PrimeFaces Developer | PrimeFaces Extensions Founder
Apache OpenWebBeans PMC | Apache DeltaSpike PMC | Apache MyFaces PMC

Personal Blog: http://tandraschko.blogspot.de/

kukeltje
Expert Member
Posts: 8444
Joined: 17 Jun 2010, 13:34
Location: Netherlands

06 Apr 2017, 20:14

If jquery 1.x stays 'maintained' there is no real need (other then maybe some newer cooler other plugins/components cannot be use) but if they stop supporting newer versions of FF, IE/Edge and Chrome then you punish users/devs that are staying up to date.

6.2-legacy should be for those companies that need support for IE-8. They can get it and bugfixes but still seriously supporting IE8 should be done on a pay/cure basis. I'm more than happy to actually help porting the js code to the jquery 3 api, but investigating the migration/combat pluging is of lesser priority. But I might give it a try the coming weeks....
Ronald van Kuijk
______________________________
PrimeFaces 5.2, PrimeFaces plus 0.0.2 | JbossWildfly 8.1| Mojarra 2.2.8
Fedora 21, Firefox 'most recent'
Read the forum posting rules
Beginners: https://jsf.zeef.com/bauke.scholtz

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 15 guests