3

I've recently been asked to update a legacy web application, installed on numerous client servers, to use the current version of jQuery 3.3.1, rather than 1.10.2 which has a number of vulnerabilities.

Do I need to simply update the version used by the system to increase its security, or will I need to remove the old jQuery files from the server as well?

The system only makes use of jQuery in a fairly limited manner, so I don't think that the update will cause too much re-development. Bearing this in mind, do I even need to update jQuery if the system isn't using any of the features with a vulnerability?

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
Ted
  • 133
  • 5

3 Answers3

2

When updating a library, you should indeed remove the (possibly problematic) code from the server. This is also true if the web application is not using the vulnerable parts of the library.

There is a good reason for that:

Served from that web server, the problematic code can possibly be leveraged in an attack that otherwise would be mitigated by CSP.

If a vulnerability in the web application does allow for (for example) XSS, the old versions vulnerabilities could be leveraged by an attacker regardless of the parts of the library the web application (usually) uses, possibly allowing for more controlled execution.

As you can see, it would need another vulnerability to actually exploit the vulnerable code, but following the argument of that not being a problem would render CSP in its entirety useless; removing that file will keep the CSP usefull.

Additionally, it would be hard to identify whether any parts of the code still rely on the old library when it's still available, so it would be good practice to remove libraries that are no longer necessary.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Thanks for your input Tobi, that all makes complete sense, and confirms what I secretly expected about removing the old code. Much appreciated. – Ted Jan 14 '19 at 17:49
1

It depends on the vulnerability.

For example, a XSS vulnerability is client-side only. As long as you stop including a vulnerable version of the library on your pages, your site won't be vulnerable, since clients won't load it anymore.

Some JavaScript librairies also have a server-side part, for example a file upload plugin for jQuery. The server will continue to run the vulnerable library even if you removed it from the client, so the server will still be vulnerable.

In my opinion, you should also remove the old jQuery files from the server. They aren't going to be needed anymore. Moreover, are you sure that you updated all your pages to the new version? A single oversight is all it needs to have a vulnerable application.

See also Toby Nary's answer which explains that multiple vulnerabilities could be used at the same time to bypass some existing limitations.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
  • Hi Benoit - I respectfully disagree (xf. my answer). Point and case: serving the file from a CSP whitelisted server/directory could possibly render CSP useless. – Tobi Nary Jan 14 '19 at 16:35
1

Software vulnerabilities can usually only be exploited when the code is actively used. Having said that you'd like to remove the old files if possible so some faulty implementation doesn't continue to use them (never assume that other software is working correctly). However, be aware that depending on the cache control settings the website set for jQuery and the HTML files that load jquery your users browsers may continue to use cached versions of your existing (vulnerable) jQuery installation for sometime, even if you remove the files from your server.

Swashbuckler
  • 2,115
  • 8
  • 9
  • In the context of javascript and web apps, it's not as easy as "not used, no problem", xf. my answer and realize that this makes vulnerable JS available under CSP. – Tobi Nary Jan 14 '19 at 16:39
  • Thanks for the input Swash, happily the system does use a cache busting querystring, so hopefully that won't be much of a problem. – Ted Jan 14 '19 at 17:50