Openui5: JQuery version should be upgraded from 2.2.3 to 3.x

Created on 31 Oct 2018 · 14Comments · Source: SAP/openui5

OpenUI5 version: latest

Browser/version (+device/version): N/A

Any other tested browsers/devices(OK/FAIL):

URL (minimal example if possible): N/A

User/password (if required and possible - do not post any confidential information here):

Steps to reproduce the problem:
According to https://github.com/SAP/openui5/blob/master/src/sap.ui.core/src/sap/ui/thirdparty/jquery.js, JQuery 2.2.3 is the current version being used in OpenUI5. This should be upgraded to a 3.x version since "2.x branches no longer receive patches" according to jquery.com. There are security issues with the 2.x version and customers of our OpenUI5-based apps are very concerned about these vulnerabilities.

Is there a plan for an upgrade or can this be considered in the near term?

What is the expected result?

What happens instead?

Any other information? (attach screenshot if possible)

enhancement fixed

Source

cmastrandrea

👍2

Most helpful comment

Yesterday, we have released a patch for every available UI5 Version in maintenance:
SAPUI5: 1.38.47, 1.52.45, 1.60.29, 1.71.23, 1.78.6, 1.80.2
OpenUI5: 1.52.43, 1.60.28, 1.71.20, 1.78.6, 1.80.1

This patch applies the security fix from jQuery 3.5.0. Please note that the patch may introduce incompatibilities to custom application or library code. The compatibility issue only emerges after applying the patch and is not security relevant. It occurs because jQuery removed the vulnerable feature and code that relies on it now needs to be adjusted.

Please follow this instructions to check and fix your code:
https://github.com/SAP/openui5/blob/master/docs/self_closing_tags_fix_instructions.md

svbender on 12 Aug 2020

👍2

All 14 comments

Hello @cmastrandrea,

I`ve created an internal incident 1880713209 to the colleagues who are familiar with JQuery upgrades. The status of the issue will be updated here in GitHub.

Regards,
Niya

niyap on 12 Nov 2018

Any updates on this?

These are known security issues in JQuery 2.2.3:

BDSA-2014-0063 jQuery Vulnerable to Cross-Site Scripting (XSS) via 'parseHTML'
Function (CVSS 3.0 score is 9.2 CRITICAL)
Fixed in JQuery 3.0.0-rc1 -
https://github.com/jquery/jquery/commit/10fc59007d717432ea126e49ce4142e6c4d5136e

BDSA-2015-0719 jQuery Vulnerable to Cross-Site Scripting via Cross-Domain Ajax
Request (CVSS 3.0 score is 8.3 HIGH)
Fixed in JQuery 3.0.0 -
https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

CVE-2015-9251 - jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
(CVSS 3.0 score is 6.1 MEDIUM)
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Fixed in JQuery 3.0.0 -
https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614

cmastrandrea on 18 Feb 2019

👍1

An upgrade to jQuery 3.x has been analyzed several months ago and showed issues with an incompatible change in jQuery.Deferred. It therefore has been postponed until alternatives for the affected APIs (in the area of SAPUI5, not OpenUI5) have been established.

Reg. the issues:

according to https://github.com/jquery/jquery/issues/2965, the first issue only affected jQuery 3.x, document.createHTMLDocument is not used in jQuery 2.2.3
the second and third issues share the same fix and that fix has been applied as a patch to our jQuery 2.2.3 version (11f98ca4780cfe77489eab1d327613d6275ad6c9)

codeworrior on 18 Feb 2019

the second and third issues share the same fix and that fix has been applied as a patch to our jQuery 2.2.3 version (11f98ca)

This comment seems to indicate the fix for CVE-2015-9251 was removed from 2.2.3?

stknig on 18 Feb 2019

Yes, jQuery had compatibility issues with the fix. But in the more limited context of UI5, we found the fix acceptable. And with jQuery 3.x, we would get the same fix, they just accepted the incompatibility for a major release.

codeworrior on 18 Feb 2019

ah, thank you for the clarification!

stknig on 18 Feb 2019

We use Black Duck for security scans and contacted them regarding a false positive of the jquery/jquery@10fc590 issue for jQuery 2.x. Their response (below) indicates the fix at 3.x introduced browser compatibility issues which were also fixed, but the backport to 2.x was ultimately removed and so the security issue still exists in 2.2.3.

From Black Duck:

"After review we have decided to leave jQuery versions 1.x and 2.x in the vulnerable version range of this BDSA (BDSA-2014-0063).

The vulnerability addressed by this BDSA concerns how scripts included in event attributes passed to the function parseHTML are executed immediately. This could leave a caller of this function vulnerable to cross-site scripting attacks if they do not properly sanitize untrusted input before it is passed to the function.

A mitigation was introduced in 3.0.0-rc1 changing the behavior of parseHTML to prevent immediate script execution. This was originally introduced by this commit:
https://github.com/jquery/jquery/commit/58c24608210c9a9a264a38746628ebc26823f59b

But a number of browser compatability issues were then discovered which were eventually resolved by these commits:
https://github.com/jquery/jquery/commit/cfe468f29c4cbe1a457d0feb17dec90dcfd7c280
https://github.com/jquery/jquery/commit/10fc59007d717432ea126e49ce4142e6c4d5136e

Although the initial implementation of the mitigation did introduce these browser issues, it did not introduce the vulnerability referred to in the BDSA.

As the customer states, an attempt was made to backport this feature to 1.x and 2.x, but was ultimately removed and abandoned due to these issues. References to these incomplete/abandoned backports have been removed from the BDSA since they are not an appropriate mitigation.

Given that jQuery 1.x and 2.x do not have this mitigation, we believe this BDSA should be reported against these versions."

02/22/2019 05:44:06 AM PST [Aaron Fenstermacher]
---------------------------------------------------------------"

cmastrandrea on 28 Feb 2019

I will analyse the findings regarding parseHTML and come back to you once I have results.
Thank you in advance!

domianer on 28 Feb 2019

Hi @cmastrandrea ,
please see commit https://github.com/SAP/openui5/commit/8c27d2ce33d38dd98eaa7bff90588e218226e307 for further information.
Best,
Dominik

domianer on 22 Jul 2019

It seems the Android Store security check rejects Cordova Applications containing jQuery libraries of 2.2.x, so it's not possible to deploy apps containing the Open Ui 5 Framework.
It seems it's necessary to update this rather sooner than later

eldorak90 on 17 Oct 2019

As a workaround, you might use the noJQuery bootstrap option together with jQuery 3.x + jquery-migration plugin. For the packaging of the Cordova app, you then would have to add those jQuery modules and filter out the jQuery 2.x version to make the security check(er) happy.

_This is an untested proposal, I have to admit._

codeworrior on 17 Oct 2019

There is a potential XSS vulnerarability in jQuery versions below 3.5.0:
https://nvd.nist.gov/vuln/detail/CVE-2020-11023

This will affect all users of UI5, at least as a finding in static security scans.

calle2010 on 13 May 2020

svbender on 12 Aug 2020

👍2

Update:

with this commit we now use jQuery 3.5.1.

During migration from jQuery V2 to V3 we have of course encountered quite some differences, you can find a documentation of those differences here:
Dev-Guide

In the file sap/ui/thirdparty/jquery-compat.js, you can find a compatibility layer on top of jQuery.
In this compat-layer we have fixed the most pressing issues we have seen in different UI5 apps.
Most parts of this compat-layer are based on jQuery Migrate.

Please have a look at the linked Dev-Guide entry for further information and get back to us if you encounter additional issues which we have not yet covered 👍