Hi,
We’re recently performed a security PEN Test on our Liberty Create / Tenant Hub environment. It highlighted a JQuery UI issue where the library is out-of-date.
Netcall have said this issue will be addressed in the next release, but I was wondering if others sites have highlighted similar issues, and how you managed this on a Live Tenant Hub site.
Thanks,
Nick
Hi,
A library being out-of-date doesn’t indicate an issue per-see, only if it contains a vulnerability. If it does then we push out software patches to address as per the SLA within your contract.
We update all libraries to the latest versions on the release of the version of Liberty Create, just to keep them current, but obviously a new version could then be released the next day.
If you believe the finding indicates a vunerability feel free to email the report to me and i’ll check, it could be a false positive, it could be we have already made a patch available or it could be they’ve identified something our SCA/SAST/DAST scanning tools haven’t picked up (although that’s unlikely).
Richard
Hi Richard,
Thanks for the response.
Our PEN test highlighted some unsupported JS libraries.
Sorry for the screenshot, but please see Netcall’s comments / responses (below):
While Netcall are implying this particular vulnerability is not vulnerable in the way Create uses it, our Networks dept will not allow us to make the TH available publicly until it’s either updated or a mitigation is put in place.
However, as you can see Netcall confirmed the “bootstrap update” would be patch in v26.1. I’m just trying to confirm if it has been patched in v26.1, as I cannot see any reference to it in the release notes. Are you able to provide any further details please?
Regards,
Nick
Hi Nick,
The work on jQuery UI was completed as expected and patches were released for supported versions in Jan.
The Bootstrap work has also been completed as expected, its an under the hood library change so probably wasn’t considered worthy of including in the Release Notes as you shouldn’t notice any change. We’re obviously updating libraries continually at the moment due to all the 3rd party supply chain attacks going on!
Richard
Thanks Richard,
We’ve scheduled a second PEN test next week (11th), but we’re still on release v2025.3. So, this issue shouldn’t be flagged even on this release?
Regards,
Nick
Hi Nick,
If you’re fully patched on v25.3, the jQuery issue shouldn’t be present.
You’ll need to upgrade to v26.1 to clear the Bootstrap finding but it won’t actually present an issue for you regardless, its in a specific component of Bootstrap and isn’t expliotable.
Richard
Thanks Richard,
Sorry, one more question; do you know when v2026.1 will be release? I’m unable to upgrade our environments.
Regards,
Nick
Hi Nick,
Next week - keep an eye out for the Release email from us, and also the confirmation post in the forum.
Richard
