Question
Capgemini
Capgemini
IN
Capgemini
Posted: Jun 16, 2022
Last activity: Aug 23, 2022
Last activity: 23 Aug 2022 6:10 EDT
Closed
Solved
Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions
Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions
Accepted Solution
Posted: 3 years ago
Updated: 3 years ago
Updated: 23 Aug 2022 6:10 EDT
MOD
Pegasystems Inc.
GB
@NareshKommuri
These libraries are embedded in Pega. See this forum question. Does your question involve vulnerability concerns?
Pega is familiar with the issue of the 3.4.1 jQuery version, failing the penetration tests and diagnosed the cause.
The security issue is related to a function called 'jQuery.htmlPrefilter', that is not used in Pega UI implementation or in any Pega applications. It has been confirmed that Pega is not using the vulnerable element in our Jquery version. Therefore despite the jQuery version vulnerable, no actual threats exist. Vulnerable part of JQuery is function 'jQuery.htmlPrefilter' with regex expression vulnerable to XSS.
Pega does not use jQuery UI dialog in product, instead providing custom modal dialogs. On the whole we don't use jQuery for any heavy lifting operations, but merely to animate a few menus and show some control related operations, here and there. Upgrading JQuery is very complex and would introduce major regression; thus Pega only upgrades JQuery in new releases to address security fixes.
We also are gradually deprecating usage of jQuery and move on to native JS.
Below are some additional information:
Jquery version 3.5.1 exists in 8.6, 8.5.1, 8.4.5 and 8.3.6
@NareshKommuri
These libraries are embedded in Pega. See this forum question. Does your question involve vulnerability concerns?
Pega is familiar with the issue of the 3.4.1 jQuery version, failing the penetration tests and diagnosed the cause.
The security issue is related to a function called 'jQuery.htmlPrefilter', that is not used in Pega UI implementation or in any Pega applications. It has been confirmed that Pega is not using the vulnerable element in our Jquery version. Therefore despite the jQuery version vulnerable, no actual threats exist. Vulnerable part of JQuery is function 'jQuery.htmlPrefilter' with regex expression vulnerable to XSS.
Pega does not use jQuery UI dialog in product, instead providing custom modal dialogs. On the whole we don't use jQuery for any heavy lifting operations, but merely to animate a few menus and show some control related operations, here and there. Upgrading JQuery is very complex and would introduce major regression; thus Pega only upgrades JQuery in new releases to address security fixes.
We also are gradually deprecating usage of jQuery and move on to native JS.
Below are some additional information:
Jquery version 3.5.1 exists in 8.6, 8.5.1, 8.4.5 and 8.3.6
You can address any issues by upgrading to 8.3.6 or higher. This has updated version of Jquery (3.5.1).
jquery has been upgraded to 3.6.0 and jquery UI to 1.13.1 in Pega 8.7.1 So either on 8.7.1 or 8.7.2 you should be on jquery version 3.6.0.
CVE-2019-11358 JQuery
As documented in the following articles, you will need to upgrade to 8.5.2 or higher to get the latest JQuery version:
https://collaborate.pega.com/question/jquery-and-jquery-ui-libraries-used-pega-841-and-851
https://collaborate.pega.com/question/pega-84-has-vulnerable-jquery-341
Hopefully this answers your question.