PCI Scan failed with jQuery Cross-Site XSS

[rebus9]

Blesta 4.2.1 installed.  Until now, monthly PCI scans all passed.  Today, I woke up to a notification the overnight PCI scan failed:
 

Quote

jQuery Cross-Domain Asynchronous JavaScript and Extensible
Markup Language Request Cross-site Scripting Vulnerability:
CVE:  CVE-2015-9251
NVD:  CVE-2015-9251
Reference:
https://github.com/jquery/issues/2432
https://snyk.io/vuln/npm:jquery:20150627

Unfortunately, Blesta doesn't run as a self-contained app (we're on Windows Server 2012 R2), and requires various 3rd party components, such as ioncube loader.

Is the fail related to a component that ships inside Blesta, or one of the external components?   

If it helps, the full text on the PCI report is:

Quote

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain
Asynchronous JavaScript and Extensible Markup Language
(AJAX) Request is performed without the dataType option, causing
text/javascript responses to be executed.

This finding indicates that either the root domain url, sub-domain url, or
an imported/sourced version of jQuery is below jQuery version 3.0. All
three scenarios allow an attacker to execute cross site scripting attacks
on the root domain.

This finding is based on version information which may not have been
updated by previously installed patches (e.g., Red Hat "back ports").

All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.

Evidence:
Match: '2.0.3' is less than '3.0.0'

Remediation:
Upgrade jQuery to version 3.0.0 or higher. This includes versions of
jQuery used on the root domain, subdomain, or imported/sourced
libraries.

 

[activa]

Is a jquery components, shipped with blesta but maintained by third party. Blesta use jquery series 2, it should upgraded to series 3 .

[rebus9]

On 11/22/2018 at 7:32 PM, activa said:

Is a jquery components, shipped with blesta but maintained by third party. Blesta use jquery series 2, it should upgraded to series 3 .

If that is true, they will HAVE to update it-- and FAST.  We are failing our mandatory PCI scans, and the jquery version detected is the sole reason for the failing grade.  We passed on all other points.

PCI scan failure means we are out of compliance, and will be charged a monthly non-compliance fee... not to mention the additional legal exposure for failing to meet standards.

 

[Paul]

CORE-2779 has been created for this, but the vulnerability described does not impact Blesta as implemented. There are a number of issues that must be resolved for compatibility with the latest jQuery and we're working on it. (Simply updating jQuery will break the software) For now I would suggest contesting the item with something along the lines of:

The software is implemented securely, and in such a way that it is unaffected by this jQuery vulnerability. We are waiting on a software update from our vendor an will update as soon as it's available.

[rebus9]

On 11/26/2018 at 11:24 AM, Paul said:

CORE-2779 has been created for this, but the vulnerability described does not impact Blesta as implemented. There are a number of issues that must be resolved for compatibility with the latest jQuery and we're working on it. (Simply updating jQuery will break the software) For now I would suggest contesting the item with something along the lines of:

The software is implemented securely, and in such a way that it is unaffected by this jQuery vulnerability. We are waiting on a software update from our vendor an will update as soon as it's available.

Here's the response from Trustwave:  "In order for us to properly process this dispute, we require the full jQuery version currently running on this system."

Can you please provide that info, along with any notes that would be helpful to give to them to process the dispute?  I already sent them the CORE-2779 link, but they want more.

 

[rebus9]

On 11/27/2018 at 2:15 PM, rebus9 said:

Here's the response from Trustwave:  "In order for us to properly process this dispute, we require the full jQuery version currently running on this system."

Can you please provide that info, along with any notes that would be helpful to give to them to process the dispute?  I already sent them the CORE-2779 link, but they want more.

Paul, are you still here?  This single issue failing PCI is causing us to be charged a PCI-non-compliance penalty fee by our merchant account provider.

[Paul]

9 minutes ago, rebus9 said:

Paul, are you still here?  This single issue failing PCI is causing us to be charged a PCI-non-compliance penalty fee by our merchant account provider.

I was hoping @Tyson or @Jono would respond. Normally the response I provided for you to give them would be sufficient. As far as I can tell, Blesta does not call the vulnerable function in jQuery, so it's implemented securely and cannot be exploited. The version seems irrelevant to this fact, especially since they know the version because they scanned it. Maybe the guys can provide a more technically worded response that will tickle the keywords they are looking for in their review, but I see no reason they shouldn't give you a pass on this for now. Nothing to see here.

[rebus9]

On 11/28/2018 at 6:03 PM, Paul said:

I was hoping @Tyson or @Jono would respond. Normally the response I provided for you to give them would be sufficient. As far as I can tell, Blesta does not call the vulnerable function in jQuery, so it's implemented securely and cannot be exploited. The version seems irrelevant to this fact, especially since they know the version because they scanned it. Maybe the guys can provide a more technically worded response that will tickle the keywords they are looking for in their review, but I see no reason they shouldn't give you a pass on this for now. Nothing to see here.

Can you ping them internally, since they are not responding here?  The PCI compliance vendor (TrustWave) says what's been provided in this thread is insufficient explanation, and we're getting financially penalized for PCI non-compliance.
 

[Tyson]

Hi @rebus9,

Blesta does not perform cross-domain AJAX requests without specifying the dataType option, so I don't see how the vulnerability mentioned (i.e. https://snyk.io/vuln/npm:jquery:20150627) could be exploited as it is described. Blesta, actually, does not perform any cross-domain AJAX requests at all except for one in the admin interface in order to load the "Follow @blesta" button in the Feed Reader plugin. Unless you have installed some other third-party extensions with Blesta that do perform cross-domain AJAX requests, I don't think you have anything to worry about regarding that jQuery XSS vulnerability.

[rebus9]

On 12/3/2018 at 5:25 PM, Tyson said:

Hi @rebus9,

Blesta does not perform cross-domain AJAX requests without specifying the dataType option, so I don't see how the vulnerability mentioned (i.e. https://snyk.io/vuln/npm:jquery:20150627) could be exploited as it is described. Blesta, actually, does not perform any cross-domain AJAX requests at all except for one in the admin interface in order to load the "Follow @blesta" button in the Feed Reader plugin. Unless you have installed some other third-party extensions with Blesta that do perform cross-domain AJAX requests, I don't think you have anything to worry about regarding that jQuery XSS vulnerability.

Thanks Tyson.  That extra detail was enough to get an exception from TrustWave.  The exception is not permanent, but hopefully the Blesta software will have an updated jquery version before the it comes up for review/re-evaluation.