Vulnerable jQuery version

UI Components for JSF
sfmcadmin
Posts: 2
Joined: 08 Mar 2017, 20:28

08 Mar 2017, 20:42

We have an application built on primefaces 3.2 and our security team has notified us that it's using a vulnerable version of jQuery. In fact even if we were to jump to the top of your 6.x release chain the jQuery version still in use wouldn't satisfy our security team. From the posts I've seen it's not recommend to import another jQuery version as it'll conflict with the one packaged with primefaces. Is there any kind of solution you might recommend?

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

09 Mar 2017, 12:19

You can replace the jquery file in the jar. For the future, it would be great to create a feature request, so we can upgrade it in PF 6.2. Also please note: PF still uses jQuery 1.x as we still need to support older browsers.
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

sfmcadmin
Posts: 2
Joined: 08 Mar 2017, 20:28

17 Mar 2017, 15:02

Thanks for your response tandraschko.

We opened the primefaces jar and overwrote the jquery.js with the 3.1.1 version. We then found we also had to add jquery ui to the jquery.js file. We were able to compile and deploy but unfortunately are plagued with runtime errors...

I understand we're using a pretty old version of primefaces but this is a legacy application and we have no current roadmap to upgrade.

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

17 Mar 2017, 17:27

using 3.x is currently impossible as the API has been changed and some plugins are incompatible
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

Rajesh.Sampath
Posts: 2
Joined: 28 Mar 2017, 09:21

03 Apr 2017, 16:28

I am using Primefaces 5.2 in one of my project.But it is used JQuery 1.11.0 which has Cross-site scripting (XSS) vulnerability.
Can we upgarde the JQuery explictly.Is this advisable?. If its not, when PF will move from Jquery version 1.11.0 to 1.12.0.
For Your Reference : https://www.cvedetails.com/vulnerabilit ... .11.4.html
can we upgarde 1.12.x ?

Rajesh.Sampath
Posts: 2
Joined: 28 Mar 2017, 09:21

04 Apr 2017, 09:42

I am using Primefaces 5.2 in one of my project.But it is used JQuery 1.11.0 which has Cross-site scripting (XSS) vulnerability.
Can we upgarde the JQuery explictly.Is this advisable?. If its not, when PF will move from Jquery version 1.11.0 to 1.12.0.
For Your Reference : https://www.cvedetails.com/vulnerabilit ... .11.4.html

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

05 Apr 2017, 12:05

We will upgrade to 1.12 if possible after the 6.1 release. It's to hot to do it now before the final release.
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

05 Apr 2017, 17:01

Would be great if for the next version a 6.2-legacy would be introduced and a 6.2-new which includes jquery 3.x... Just to make sure PrimeFaces itself does not become 'legacy' ;-)

tandraschko
PrimeFaces Core Developer
Posts: 3979
Joined: 03 Dec 2010, 14:11
Location: Bavaria, DE
Contact:

05 Apr 2017, 20:13

I recently talked with Cagatay about it.
The problem is the following:
- jQuery 3 doesn't support IE8 - currently is a good argument but i think the argument is not valid anymore in 1-2 years
Some companies still use IE8 and currently thats a good argument to use PrimeFaces instead e.g. PrimeNG
- The effort to be really jQuery 3 compatible is very big. I think the effort to migrate our own scripts are not so high but we also have many third party scripts....
Using a "migration plugin" could help but its no real solution. We would still need to fix those plugins or reinvent them later...
- Whats the exact benefit?
- Does the migration plugin / combat plugin fix all components? Really, if you have time, please try it!
Thomas Andraschko

PrimeFaces | PrimeFaces Extensions

Apache Member | OpenWebBeans, DeltaSpike, MyFaces, BVal, TomEE

Sponsor me: https://github.com/sponsors/tandraschko
Blog: http://tandraschko.blogspot.de/
Twitter: https://twitter.com/TAndraschko

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

06 Apr 2017, 20:14

If jquery 1.x stays 'maintained' there is no real need (other then maybe some newer cooler other plugins/components cannot be use) but if they stop supporting newer versions of FF, IE/Edge and Chrome then you punish users/devs that are staying up to date.

6.2-legacy should be for those companies that need support for IE-8. They can get it and bugfixes but still seriously supporting IE8 should be done on a pay/cure basis. I'm more than happy to actually help porting the js code to the jquery 3 api, but investigating the migration/combat pluging is of lesser priority. But I might give it a try the coming weeks....

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 18 guests