Описание
Уязвимость функции jQuery.extend() библиотеки jQuery связана с отсутствием ограничений на изменение свойства «proto» при выполнении операции extend. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании, выполнить произвольный JavaScript-код или повысить свои привилегии (в зависимости от контекста использования функции jQuery.extend), при помощи специально сформированного JavaScript-объекта
Вендор
ООО «РусБИТех-Астра»
Red Hat Inc.
Сообщество свободного программного обеспечения
Oracle Corp.
Fedora Project
The jQuery Foundation
Novell Inc.
АО «Концерн ВНИИНС»
Moxa Inc.
Наименование ПО
Astra Linux Special Edition
Red Hat Enterprise Linux
Debian GNU/Linux
WebLogic Server
Enterprise Manager Ops Center
JD Edwards EnterpriseOne Tools
Primavera Unifier
Fedora
PeopleSoft Enterprise PeopleTools
jQuery
OpenSUSE Leap
Communications Billing and Revenue Management
Jboss Fuse
Oracle Hospitality Guest Access
Application Testing Suite
Insurance Performance Insight
Insurance Allocation Manager for Enterprise Profitability
Financial Services Retail Customer Analytics
Financial Services Profitability Management
Financial Services Price Creation and Discovery
Financial Services Institutional Performance Analytics
Financial Services Analytical Applications Infrastructure
Banking Platform
Oracle Policy Automation Connector for Siebel
Astra Linux Special Edition для «Эльбрус»
Oracle Communications Unified Inventory Management
Red Hat Single Sign-On
Primavera Gateway
Red Hat Virtualization Engine
Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Retail Performance Analytics
Oracle Hospitality Materials Control
Oracle JDeveloper and ADF
Oracle Service Bus
Oracle Healthcare Foundation
Oracle Healthcare Translational Research
Oracle Policy Automation
Oracle Policy Automation for Mobile Devices
Oracle Retail Customer Insights
Siebel Mobile Applications
Oracle Agile Product Lifecycle Management for Process
Diagnostic Assistant
Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management
Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation
Oracle Financial Services Data Integration Hub
Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Revenue Management and Billing
Oracle Insurance Data Foundation
Oracle Insurance IFRS 17 Analyzer
System Utilities
Oracle Communications Interactive Session Recorder
Tape Library ACSLS
Oracle Real-Time Scheduler
Oracle Utilities Mobile Workforce Management
Oracle Communications Session Route Manager
PeopleSoft Enterprise FIN Expenses
Insurance Accounting Analyzer
ОС ОН «Стрелец»
OnCell 3120-LTE-1
Версия ПО
1.5 «Смоленск» (Astra Linux Special Edition)
7 (Red Hat Enterprise Linux)
9 (Debian GNU/Linux)
10.3.6.0.0 (WebLogic Server)
12.1.3.0.0 (WebLogic Server)
12.3.3 (Enterprise Manager Ops Center)
9.2 (JD Edwards EnterpriseOne Tools)
16.2 (Primavera Unifier)
16.1 (Primavera Unifier)
28 (Fedora)
8.55 (PeopleSoft Enterprise PeopleTools)
8.56 (PeopleSoft Enterprise PeopleTools)
8.57 (PeopleSoft Enterprise PeopleTools)
1.6 «Смоленск» (Astra Linux Special Edition)
29 (Fedora)
12.2.1.3.0 (WebLogic Server)
до 3.4.0 (jQuery)
8 (Red Hat Enterprise Linux)
15.1 (OpenSUSE Leap)
30 (Fedora)
8 (Debian GNU/Linux)
7.5 (Communications Billing and Revenue Management)
12.0 (Communications Billing and Revenue Management)
12.4.0 (Enterprise Manager Ops Center)
7 (Jboss Fuse)
4.2.0 (Oracle Hospitality Guest Access)
4.2.1 (Oracle Hospitality Guest Access)
13.3.0.1 (Application Testing Suite)
18.8 (Primavera Unifier)
8.0.7 (Insurance Performance Insight)
8.0.8 (Insurance Allocation Manager for Enterprise Profitability)
от 8.0.4 до 8.0.6 включительно (Financial Services Retail Customer Analytics)
от 8.0.4 до 8.0.7 включительно (Financial Services Profitability Management)
от 8.0.4 до 8.0.7 включительно (Financial Services Price Creation and Discovery)
от 8.0.4 до 8.0.7 включительно (Financial Services Institutional Performance Analytics)
от 8.0.2 до 8.0.8 включительно (Financial Services Analytical Applications Infrastructure)
от 2.4.0 до 2.7.1 включительно (Banking Platform)
10.4.6 (Oracle Policy Automation Connector for Siebel)
8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»)
12.5.0.3 (Application Testing Suite)
13.1.0.1 (Application Testing Suite)
13.2.0.1 (Application Testing Suite)
7.3 (Oracle Communications Unified Inventory Management)
7.4 (Oracle Communications Unified Inventory Management)
7.3 (Red Hat Single Sign-On)
15.2.18 (Primavera Gateway)
16.2.11 (Primavera Gateway)
17.12.6 (Primavera Gateway)
18.8.8.1 (Primavera Gateway)
4.3 (Red Hat Virtualization Engine)
от 17.7 до 17.12 включительно (Primavera Unifier)
13.2 (Application Testing Suite)
13.3 (Application Testing Suite)
8.0.6 (Oracle Financial Services Enterprise Financial Performance Analytics)
8.0.7 (Oracle Financial Services Enterprise Financial Performance Analytics)
8.0.6 (Oracle Financial Services Retail Performance Analytics)
8.0.7 (Oracle Financial Services Retail Performance Analytics)
18.1 (Oracle Hospitality Materials Control)
11.1.1.9.0 (Oracle JDeveloper and ADF)
12.1.3.0.0 (Oracle JDeveloper and ADF)
12.2.1.3.0 (Oracle JDeveloper and ADF)
11.1.1.9.0 (Oracle Service Bus)
12.1.3.0.0 (Oracle Service Bus)
12.2.1.3.0 (Oracle Service Bus)
7.1.1 (Oracle Healthcare Foundation)
7.2.2 (Oracle Healthcare Foundation)
3.1.0 (Oracle Healthcare Translational Research)
3.2.1 (Oracle Healthcare Translational Research)
3.3.1 (Oracle Healthcare Translational Research)
10.4.7 (Oracle Policy Automation)
12.1.0 (Oracle Policy Automation)
12.1.1 (Oracle Policy Automation)
от 12.2.0 до 12.2.15 включительно (Oracle Policy Automation)
от 12.2.0 до 12.2.15 включительно (Oracle Policy Automation for Mobile Devices)
15.0 (Oracle Retail Customer Insights)
16.0 (Oracle Retail Customer Insights)
до 19.8 включительно (Siebel Mobile Applications)
6.2.0.0 (Oracle Agile Product Lifecycle Management for Process)
6.2.1.0 (Oracle Agile Product Lifecycle Management for Process)
6.2.2.0 (Oracle Agile Product Lifecycle Management for Process)
6.2.3.0 (Oracle Agile Product Lifecycle Management for Process)
2.12.36 (Diagnostic Assistant)
от 7.3.3 до 7.3.5 включительно (Financial Services Analytical Applications Infrastructure)
от 8.0.4 до 8.0.7 включительно (Oracle Financial Services Analytical Applications Reconciliation Framework)
от 8.0.4 до 8.0.7 включительно (Oracle Financial Services Asset Liability Management)
от 8.0.4 до 8.0.7 включительно (Oracle Financial Services Basel Regulatory Capital Basic)
от 8.0.4 до 8.0.7 включительно (Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach)
от 8.0.4 до 8.0.8 включительно (Oracle Financial Services Data Foundation)
от 8.0.5 до 8.0.7 включительно (Oracle Financial Services Data Integration Hub)
от 8.0.4 до 8.0.7 включительно (Financial Services Funds Transfer Pricing)
от 8.0.4 до 8.0.7 включительно (Oracle Financial Services Hedge Management and IFRS Valuations)
от 8.0.1 до 8.0.6 включительно (Oracle Financial Services Liquidity Risk Management)
8.0.7 (Oracle Financial Services Liquidity Risk Measurement and Management)
8.0.8 (Oracle Financial Services Liquidity Risk Measurement and Management)
от 8.0.2 до 8.0.7 включительно (Oracle Financial Services Loan Loss Forecasting and Provisioning)
8.0.5 (Oracle Financial Services Market Risk Measurement and Management)
8.0.6 (Oracle Financial Services Market Risk Measurement and Management)
8.0.8 (Oracle Financial Services Market Risk Measurement and Management)
2.4.0.0 (Oracle Financial Services Revenue Management and Billing)
2.4.0.1 (Oracle Financial Services Revenue Management and Billing)
от 8.0.4 до 8.0.7 включительно (Oracle Insurance Data Foundation)
8.0.6 (Oracle Insurance IFRS 17 Analyzer)
8.0.7 (Oracle Insurance IFRS 17 Analyzer)
19.1 (System Utilities)
6.0 (Oracle Communications Interactive Session Recorder)
6.1 (Oracle Communications Interactive Session Recorder)
6.2 (Oracle Communications Interactive Session Recorder)
6.3 (Oracle Communications Interactive Session Recorder)
8.5 (Tape Library ACSLS)
8.5.1 (Tape Library ACSLS)
от 2.3.0.1 до 2.3.0.3 включительно (Oracle Real-Time Scheduler)
от 2.3.0.1 до 2.3.0.3 включительно (Oracle Utilities Mobile Workforce Management)
8.1.1 (Oracle Communications Session Route Manager)
8.2.0 (Oracle Communications Session Route Manager)
8.2.1 (Oracle Communications Session Route Manager)
9.2 (PeopleSoft Enterprise FIN Expenses)
от 8.0.6 до 8.0.8 включительно (Insurance Accounting Analyzer)
до 16.01.2023 (ОС ОН «Стрелец»)
до 2.3 включительно (OnCell 3120-LTE-1)
Тип ПО
Операционная система
Сетевое программное средство
Прикладное ПО информационных систем
ПО виртуализации/ПО виртуального программно-аппаратного средства
Операционные системы и аппаратные платформы
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.5 «Смоленск»
Red Hat Inc. Red Hat Enterprise Linux 7
Сообщество свободного программного обеспечения Debian GNU/Linux 9
Fedora Project Fedora 28
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.6 «Смоленск»
Fedora Project Fedora 29
Red Hat Inc. Red Hat Enterprise Linux 8
Novell Inc. OpenSUSE Leap 15.1
Fedora Project Fedora 30
Сообщество свободного программного обеспечения Debian GNU/Linux 8
ООО «РусБИТех-Астра» Astra Linux Special Edition для «Эльбрус» 8.1 «Ленинград»
АО «Концерн ВНИИНС» ОС ОН «Стрелец» до 16.01.2023
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,6)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 8,1)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для jQuery:
https://github.com/jquery/jquery/pull/4333
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Для Astra Linux:
https://wiki.astralinux.ru/pages/viewpage.action?pageId=67111271
https://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15
Для Debian:
https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html
https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html
Для openSUSE:
https://www.suse.com/security/cve/CVE-2019-11358/
Для продуктов Oracle:
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2019.html
https://www.oracle.com/security-alerts/cpuoct2019.html
https://www.oracle.com/security-alerts/cpujul2020.html
Red Hat:
https://access.redhat.com/security/cve/CVE-2019-11358?extIdCarryOver=true&sc_cid=701f2000001OH7JAAW
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/
Для ОС ОН «Стрелец»:
Обновление программного обеспечения mediawiki до версии 1:1.27.7-1+deb9u11
Для Moxa:
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-244707-oncell-3120-lte-1-series-multiple-jquery-vulnerabilities
Для ОС Astra Linux 1.6 «Смоленск»:
обновить пакет jquery до 3.1.1-2+deb9u1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Существует в открытом доступе
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 83%
0.02022
Низкий
8.1 High
CVSS3
7.6 High
CVSS2
Связанные уязвимости
CVSS3: 6.1
ubuntu
около 6 лет назад
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSS3: 5.6
redhat
около 6 лет назад
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSS3: 6.1
nvd
около 6 лет назад
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSS3: 6.1
debian
около 6 лет назад
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other produc ...
EPSS
Процентиль: 83%
0.02022
Низкий
8.1 High
CVSS3
7.6 High
CVSS2