My Oracle Support Banner

Application Vulnerability - Need Updated JQuery-ui JS (Doc ID 2610159.1)

Last updated on NOVEMBER 18, 2019

Applies to:

Oracle Financial Services Revenue Management and Billing - Version 2.6.0.1.0 and later
Information in this document applies to any platform.

Goal

On RMB v2.6.0.1.0 against Framework v4.3.0.4: Application vulnerability - need updated jQuery-ui jar.

Summary
The application is running a vulnerable version of jQuery v1.11.0-beta.1, which was released April 24,2014.

Impact
The noted version of the product is vulnerable to XSS.

Version Snippet:
/*! jQuery UI - v1.11.0-beta.1 - 2014-04-24
* http://jqueryui.com
* Includes: core.js, widget.js, mouse.js, position.js, accordion.js, autocomplete.js, button.js, datepicker.js, dialog.js, draggable.js, droppable.js,
effect.js, effect-blind.js, effect-bounce.js, effect-clip.js, effect-drop.js, effectexplode.js, effect-fade.js, effect-fold.js, effect-highlight.js, effect-puff.js,
effect-pulsate.js, effect-scale.js, effect-shake.js, effect-size.js, effectslide.js, effect-transfer.js, menu.js, progressbar.js, resizable.js, selectable.js,
slider.js, sortable.js, spinner.js, tabs.js, tooltip.js
* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */

Remediation Recommendations
Upgrade the affected service to the latest secure version. At the time of this writing, the latest
secure version of jQuery is v1.12.1, released 14 Sep, 2016. In addition, a patch management system / plan is required to reduce this constant threat as new versions are released.

CVE for JQueryUI vulnerability:

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.