70620 - Security scanners might flag HTMLCommons files in SAS® Viya® 3.5 as vulnerable to the jQuery User Interface CVEs

Problem Note 70620: Security scanners might flag HTMLCommons files in SAS® Viya® 3.5 as vulnerable to the jQuery User Interface CVEs

Severity: Informational
Description: Security scanners might flag HTMLCommons files in SAS Viya 3.5 as vulnerable to CVEs in the jQuery UI.
Potential Impact: SAS has confirmed that SAS Viya 3.5 is not affected by these CVEs.

If you run a security scan on a SAS Viya 3.5 environment, some files under the following path might be flagged as vulnerable to the known CVEs in the jQuery UI. All of these files are part of SAS web framework called HTMLCommons 10.2.

/opt/sas/viya/home/var/www/html/htmlcommons/10.2/resources/sap/ui/**

Or, if you run the scan through the URL, the same files under the following URL might be flagged as vulnerable:

https://hostname/htmlcommons/10.2/shcb*/resources/sap/ui/**

The CVE numbers flagged for these files are as follows. All of the CVEs are known vulnerabilities in the jQuery UI.

Some security scanners might detect these jQuery UI CVEs because HTMLCommons 10.2 contains code from the jQuery UI 1.10.4.

However, these detections do not mean that all the known vulnerabilities in the jQuery UI affect the SAS Viya 3.5 applications because the jQuery UI code that is used in SAS Viya 3.5 is not exactly the same as the original jQuery UI files available from https://jqueryui.com. The jQuery UI code that is used in SAS Viya 3.5 is a customized version of jQuery UI, and it doesn't contain all the features that are available in the original jQuery UI.

SAS has confirmed that SAS Viya 3.5 is not affected by any of these CVEs for the reasons explained below:

CVE-2010-5312:

SAS Viya 3.5 is not affected because this affects jQuery UI before 1.10.0, while we are using the code from jQuery UI 1.10.4.

CVE-2012-6662:

SAS Viya 3.5 is not affected because this affects jQuery UI before 1.10.0, while we are using the code from jQuery UI 1.10.4.

CVE-2016-7103:

SAS Viya 3.5 is not affected because this affects the jQuery UI Dialog widget, and the code of this widget is not included in HTMLCommons 10.2.

CVE-2021-41182:

SAS Viya 3.5 is not affected because this affects the jQuery UI Datepicker widget, and while the code of this widget is included in HTMLCommons 10.2, it is not used in SAS Viya 3.5 applications.

CVE-2021-41183:

SAS Viya 3.5 is not affected because this affects the jQuery UI Datepicker widget, and while the code of this widget is included in HTMLCommons 10.2, it is not used in SAS Viya 3.5 applications.

CVE-2021-41184:

This affects jQuery UI's position() function, which is used in HTMLCommons 10.2.

SAS Viya 3.5 is not affected, however, because (as per the problem description by NVD), "accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code," while we are not accepting the value of the of option from any user input or untrusted sources.

Therefore, this vulnerability is not exploitable in SAS Viya 3.5 applications.

CVE-2022-31160:

SAS Viya 3.5 is not affected because this affects the jQuery UI Checkboxradio widget, and the code of this widget is not included in HTMLCommons 10.2.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
			Reported	Fixed*	Reported	Fixed*
SAS System	SAS Viya 3.x	Microsoft® Windows® for x64	3.5		Viya 3.5
		Linux for x64	3.5		Viya 3.5

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	medium

Date Modified:	2024-02-05 10:42:57
Date Created:	2024-01-23 18:22:11

Support

Problem Note 70620: Security scanners might flag HTMLCommons files in SAS® Viya® 3.5 as vulnerable to the jQuery User Interface CVEs

Operating System and Release Information