CKEditor 4.22.1 and Concrete CMS Security Updates

CKEditor 4.22.1 and Concrete CMS Security Updates

Feb 12, 2024
by andrew

On February 7th, 2024, we received a bug report that the rich text editor in Concrete CMS 8 and 9 was displaying a strange and alarming warning:

https://github.com/concretecms/concretecms/issues/11931

This warning states "This CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts."

Naturally, this has prompted concern and confusion from our customers and members in our community, and I feel it's important to address it. Here's what I know about this, what caused it, what it's regarding specifically, our plans to address it and how we're planning to move forward.

Download 9.2.6

Before I delve more deeply into this, let me summarize: rest easy that your site is NOT affected by the CKEditor vulnerabilities UNLESS you enabled the preview CKEditor plugin which Concrete CMS disables by default. Concrete 8.5.14 and 9.2.6 will ensure that no Concrete CMS users are affected.

The Cause

Concrete CMS uses CKEditor 4 as its rich text editor. As of Concrete CMS 8.5.13 and 9.2.5, the underlying CKEditor library has been updated to the latest version possible, version 4.22.1. As CKEditor has stated, this is the latest version of the editor that will be released. All subsequent versions of CKEditor 4 will be released under their LTS license. CKEditor 4 LTS is a commercial product, and therefore cannot be included with Concrete CMS.

On February 7, CKEditor released 4.24.0 LTS, which fixed several security issues. When this occurred, their system marked version 4.22.1 as insecure. Version 4.22.1 apparently has a version check routine where it checks itself against a centralized CKEditor database. When it did so, and learned that CKEditor considered this version insecure, the security warning text was retrieved and displayed. This was not a message we had ever seen; since it hadn't been used prior to February 7, 2024.

Immediate Fixes

First - it should be noted that as of this writing you will not have to employ any of these options to get rid of this notice. It should already be gone, because it is triggered externally from CKEditor and they have disabled the notice. They may re-enable it in several weeks, however, so it would be good to act on this eventually.

If you do see this message on any of your sites, there are several ways you can remove it:

  1. You can modify your site's configuration to add the versionCheck CKEditor configuration value to the editor, as described this message: https://github.com/concretecms/concretecms/issues/11931#issuecomment-1933136575
  2. You can upgrade to Concrete CMS 9.2.6 and 8.5.15 – both of which have just been released and are available from https://concretecms.org/download.

In doing so, you will be fixing the issue by disabling the versionCheck routine that CKEditor added to their own routine. This will ensure that the message no longer displays.

Additionally, CKEditor has also temporarily halted this display of this message in their system – so you may not have even seen it. More information about this – along with our message to them – can be found here: https://github.com/ckeditor/ckeditor5/issues/15811#issuecomment-1933672902

Security Concerns

While much of this post is concerned with hiding the heavy-handed security message being pushed into the rich text editor, it would be irresponsible not to address and understand the issues that 4.24.0 is meant to solve. According to their release notes, 4.24.0 fixes the following vulnerabilities

  1. Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See GHA for more details.
  2. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See GHA for more details.
  3. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See GHA for more details.

Issue 1 requires the full page editing feature, which Concrete CMS does not use and does not support. Issue 2 requires the use of certain old files in a samples subdirectory. Concrete does include these files - they will be removed in Concrete CMS 9.2.6 and 8.5.15. Finally, issue 3 requires the use of the samples directory – removed in 9.2.6 and 8.5.15 – along with the use of the preview CKEditor plugin, which Concrete does ship but which is not enabled by default.

Summary: these issues, while valid, do not materially compromise a standard Concrete site.

Ongoing Concerns

Not everything about this situation is resolved, and we have ongoing concerns. Namely, I find it highly suspect that the behavior of our rich text editor can be changed by external processes, as was the case with this notification. We will continue to monitor this situation.

As mentioned in this message, CKEditor will be turning this message back on in several months, so it is advisable to adopt these upgrades in the interim to ensure that it does not display on your Concrete sites when they do so.

Regarding the updating of CKEditor in a more fundamental way: CKEditor is aggressively pushing their commercial LTS offering as a solution, but that's clearly something we cannot adopt in the free core of Concrete CMS. CKEditor 5 is no longer licensed under the LGPL, and has no alternative license available that will allow it to be cleanly shipped with our software, which adopts the permissive and comparatively easy-to-understand MIT license. Talks with CKEditor to obtain a license for CKEditor 5 have also stalled, and we are actively exploring alternatives. We will continue to provide safe, secure tools for use with editing your websites, just as we always have.