Application Vulnerability - Need Updated JQuery-ui JS
(Doc ID 2610159.1)
Last updated on APRIL 03, 2023
Applies to:
Oracle Financial Services Revenue Management and Billing - Version 2.6.0.1.0 and laterInformation in this document applies to any platform.
Goal
On RMB v2.6.0.1.0 against Framework v4.3.0.4: Application vulnerability - need updated jQuery-ui jar.
Summary
The application is running a vulnerable version of jQuery v1.11.0-beta.1, which was released April 24,2014.
Impact
The noted version of the product is vulnerable to XSS.
Version Snippet:
/*! jQuery UI - v1.11.0-beta.1 - 2014-04-24
* http://jqueryui.com
* Includes: core.js, widget.js, mouse.js, position.js, accordion.js, autocomplete.js, button.js, datepicker.js, dialog.js, draggable.js, droppable.js,
effect.js, effect-blind.js, effect-bounce.js, effect-clip.js, effect-drop.js, effectexplode.js, effect-fade.js, effect-fold.js, effect-highlight.js, effect-puff.js,
effect-pulsate.js, effect-scale.js, effect-shake.js, effect-size.js, effectslide.js, effect-transfer.js, menu.js, progressbar.js, resizable.js, selectable.js,
slider.js, sortable.js, spinner.js, tabs.js, tooltip.js
* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */
Remediation Recommendations
Upgrade the affected service to the latest secure version. At the time of this writing, the latest
secure version of jQuery is v1.12.1, released 14 Sep, 2016. In addition, a patch management system / plan is required to reduce this constant threat as new versions are released.
CVE for JQueryUI vulnerability:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |