SMB SSL-VPN - Does the jQuery vulnerability (CVE-2011-4969) affects SRA/SMA devices?
03/26/2020 5 12544
Customers running vulnerability scans may get reports indicating that the SRA/SMA is affected by the vulnerability CVE-2011-4969. More information about this vulnerability can be found in the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
According to our engineering department the SRA/SMA is not vulnerable to the jQuery vulnerability. Even when the SRA is using an affected version of jQuery (1.4.2), we are not using location.hash within a jquery selector which is what exposes the application to a Cross-site scripting (XSS) attack.
Even when the SRA is not vulnerable, our engineers have patched the current jQuery version to be safe based on this patch: https://bugs.jquery.com/ticket/9521.
This patch will be included in the next 18.104.22.168 and 22.214.171.124 firmware releases.