jquery vulnerability showing on AIX

[kbauma01]

Hello everyone,

Our vulnerability scanning tool is coming back with JQuery 1.2 < 3.5.0 Multiple XSS (CVE-2020-11022) but only on our AIX servers. I'm curious if anyone seen this.

https://server1:5693/static/js/jquery.3.4.1.min.js

That .js file is in /usr/local/ncpa/listener/static/js/jquery.3.4.1.min.js on all those servers.

Looking around (googling), it looks like there is a 3.5.0 version. Would it break anything if that was upgraded?

[jsimon]

Hi @kbauma01,

I checked and it looks like we ship a newer version of jquery (3.5.1) with NCPA as of a while ago, I believe you should be fine to upgrade this. As always I'd recommend taking a VM snapshot before making changes.

[kbauma01]

Thanks @jsimon

Is there a newer NCPA agent for AIX? The one I see is 2.2.1.

[jsimon]

We currently are not producing AIX packages for NCPA. As NCPA is maintained as open source software, you could try building a newer version in house if there are specific requirements you need to meet. Another option would be to look at migrating to NRPE, if that suits your use case better.

[betterwound]

We currently are not producing AIX packages for NCPA. As NCPA is maintained as open source software, you could try building a newer version in house if there are specific requirements you need to meet. Another option would be to look at migrating to NRPE, if that suits your use case betterstickman hook

Hopefully there will be AIX packages for NCPA soon. Because I am having some problems and need AIX

[tim620]

I would also like to see a newer version of NCPA for AIX. We use the NCPA agent on all our different platforms, including AIX.

[bbahn]

I'll reference my other post on this topic here: viewtopic.php?p=360003#top