Failing PCI Scans because of outdated jQuery in User Portal - Is there a fix?

Question

We are failing our PCI compliance scans on every XG firewall we have that has the user portal enabled. Our PCI compliance scanning company is telling us this: 
 
 Description: "jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding indicates that either the root domain url, sub-domain url, or an imported/sourced version of jQuery is below jQuery version 3.0. All three scenarios allow an attacker to execute cross site scripting attacks on the root domain." 
 Evidence: jQuery appears to be '2.1.3' and needs to be at '3.0.0' or higher 
 
 This is ONLY happening on the port used by the User Portal. To verify this we changed the port to another number, had a host rescanned, and the vulnerability was found on that new port. 
 
 Is there anything I can do to get this fixed or do I have to wait for Sophos to update the jQuery version they are using? Is there a bug report place I can put this if that's the case or who do I contact?

AllanD · Accepted Answer

I have put in a support request. Here is there answer which doesn't help at all: 
 
 "Thank you for contacting sophos technical support today. Just to let you that this issue in not currently a technical support issue as we provided this KB https://community.sophos.com/kb/en-us/132741 . Current there is no ETA when this version will be upgraded to 3.0 or higher. If you require different answer please contact your account manager about this issue." 
 
 I replied and told them I needed more information to satisfy our PCI scanning company and have received no response yet.

HuberChristian · Answer

This issue was allready reported by myself during the Beta Period. See: https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v17-5-early-access/f/sophos-xg-17-5-early-access/108784/planned-login-screen-change-for-17-5-final 
 
 I do not understand at all, why they need a full JQuery for a simple Login Screen. This makes Loginscreen huge (2.2Mbytes which has to be transfered for each Request). 
 From my point of view, this is a good example on what happens, if in a Company the Marketing guys are going to decide about stuff like this instead of technicans/developers.

AllanD · Answer

LuCar Toni said: 
 You should talk to your Sales Rep about this to get a proper answer to this topic.

Please don't take this wrong but I came to these forums for a answer. When that wasn't looking very positive I put in a support request. So if you, a Sophos staff member, cannot answer the question here and your support people (case #8496846) can't answer the question through their channels then the only reason I would be contacting my sales rep is to find alternatives to your product. 
 
 With that said it is not something I want to do, especially after investing in 3 XG's and 12 - 14 REDs. I like the product overall but for a security appliance it seems to have a decent amount of security related issues.

AlanT · Answer

AllanD, Michael Dunn was doing some digging, and pointed out to me that there's two different httpd.conf files on the shell: 
 /_conf/httpd/conf/httpd.conf 
 and 
 /usr/apache/conf/httpd.conf 
 I was referencing the first one, but I suspect you're referencing the second one, as I see similar lines you're mentioning in the second file. 
 The first one is used by webadmin, the user portal, and other system services, and I've tested numerous systems, and can confirm the same scan results Bill Roland reports, across my estate of firewalls. The second one is related to WAF, but I'm not certain how exactly it is used - if it's still used at all. For example, it always says it will allow TLS 1.0 & 1.1, but I can change that setting in webadmin, under "Webserver Protection > General", then test against https://www.ssllabs.com/ssltest/ and clearly see that TLS 1.0 and 1.1 are allowed or blocked, on any WAF listening ports, according to the webadmin setting. So while I can verify what you're seeing on the shell, I can't confirm the external behavior results you're reporting. 
 Ignoring the .conf file contents for the moment, I want to make sure I'm really looking at the same thing that is actually failing for you. Can you give a bit more info on the audit failures you're getting? what ports are involved, etc..?

AllanD · Answer

AlanT said: 
 First off, on the original thread topic, the KB has been updated to be a bit clearer: https://community.sophos.com/kb/en-us/132741 . Hopefully that helps with addressing auditors. 
 
 PCI compliance scanning company approved my dispute based on the updated KB article. Thanks.

LuCar Toni · Answer

Would suggest to open: 
 a. a new Thread about this TLS1.0 Issue. 
 b. a new Support Case about this Issue. 
 
 So we can keep this here about the jQuery Topic and discuss the WAF issue separately.

AlanT · Answer

Hey AllanD, 
 This thread seems to have de-railed somewhat. Let me try to put some tracks under it again. 
 As you should expect, this report was already known to us, and some of the confusion comes from there being multiple CVEs reported in the initial reports we received, and this wasn't a simple case of "critical vuln found, fix immediately". 
 CVE-2016-10707 was found to be a false positive on XG, because the version of jquery we use is not affected, despite early reports to the contrary. You can find some comments on this buried here: https://github.com/jquery/jquery/issues/3133 Specifically: "The range in the database is incorrect, the only affected version is 3.0.0-rc.1 . Both the earlier 2.1.x , 2.2.x & 3.0.0-beta1 and the later 3.0.0 don't exhibit the issue." 
 Originally, a range of affected versions were reported, but later, this was reduced to just one version, which is not the version XG is using. If this cve is being flagged, it is a false positive on the part of your auditor, likely because it is using the originally mis-reported list of affected versions. The link above should help with supporting material for this. 
 The other item is CVE-2015-9251, does affect the version XG is using, and that library is potentially vulnerable to a XSS attack - depending on implementation. XG's implementation does not allow it to access any external content, thus the risk has always been fully mitigated, lowering the priority to update. We will eventually upgrade to a newer version of jquery, but we're not ready for that effort just yet, so as a further interim step, in v17.1 MR2, we back-ported the fix from a later version, to the version we are running. As of v17.1 MR2, XG is not even theoretically affected, though because the version number remains the same, this will likely need to be addressed explicitly in your audits. 
 Hopefully that clarifies things a bit, and I'll follow up internally, to make sure that our KB articles are adequately detailed, to cover what I've said above. 
 
 One final note, though.. 
 AllanD said: And the reason this is important is because this XG product suffers from lots of other vulnerabilities that need manual intervention to fix. Like the fact it supports 3DES encryption, TLS1.0, TLS1.1, and HTTP Track/Trace all by default and all that fail PCI compliance scans. 
 That info is outdated. I'm not sure when this changed, but it's been a while, and doing a quick sanity check, my firewalls all report an A ('T' actually, but 'A' if certificate trust issues are ignored) on qualys ssl test site. None of the issues you mention are present in their report. you might want to have another look at that.

AllanD · Answer

Thanks for checking guys. 
 Well this is no good....I can't exactly disable my user portal. Although if Sophos would fix it so it didn't show up on every external IP address at least I would have less violations (currently being flagged 5 times for the same thing since it seems we can't lock down the user portal to a single IP address). 
 How do we get Sophos to take action on this? Submit a bug to support? 
 
 Edit: I'm opening a support case, suggest others do the same.

JonathanP · Answer

So my dispute was accepted. I sent the following text for my dispute: 
 
 The Sophos firewall is running 2.1.3. The Sophos support department has confirmed from dev team that the CVE-2015-9251 false positive result has been patched and hardened. 
 I'm now running the latest sophos version 17.5 
 I received the following from: 
 I have confirmed with our global escalations team (GES) that the XG is patched since MR2 however the detection will falsely be detected. 
 It it scheduled to be fixed in 18.5, however this may change and we do not have a set date for when this will be released.