How do I ensure that Outdated Libraries are not used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2022 05:03 AM
How do I ensure that Outdated Libraries are not used?
For TinyMC the library TinyMCE version 4.4.3 was being used and has known security issues. The newest version is 5.2.2 (30.04.2020).
For Jquery the library jQuery version 2.2.3-snc was being used and has known security issues. The newest version is 3.6.0 (02.03.2021)
Why are these not auto updated, or updated via the patches?
How does the dev team switch the libraries they are using?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2022 09:39 AM
Hi Mark,
A vulnerability in a library may not always mean that the application is also vulnerable. Libraries contain lots of functions in them and sometimes applications only call for a few of these functions within a particular library. There is a possibility that the outdated library has a vulnerability in one of their functions and the rest is good. And the application may only imports a few non-vulnerable functions from this outdated library.
SecOps pulls vulnerability detection information from your vulnerability scanner.
What normally your infrastructure vulnerability scanner does is, if the outdated libraries have vulnerabilities in used functions, then they associate this library with the version of the application (in your case TinyMC) and present the vulnerability as if it is in the application. The scanner usually does the fingerprinting based on versions.
But vulnerabilities within software components (like libraries) are detected through a different type of vulnerability scan. It is called Component Analysis. This type of scan is similar to SCA (Static Code Analysis) scans. It basically checks all the components of a compiled software and presents the vulnerabilities in the components. But the problem is usually with the functions in libraries. If the used functions are not vulnerable, there is no vulnerability in the application we can speak of.
Hope that helps.
Please mark it as helpful if it is!
Fatih!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2022 08:59 AM - edited 10-03-2022 09:00 AM
Hi @Fatih Karacaer , I wanted to check back on this as this has come up on our vulnerability scans too for usage of Jquery 2.2.33 on the Service Portal. Is there a way where these libraries can be updated?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2023 05:41 AM
Hi @Irston Antao
Could I Ask you if you update the jquery library?