Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Important update for CKEditor 4 Users #5519

Open
jacekbogdanski opened this issue May 1, 2024 · 9 comments
Open

Important update for CKEditor 4 Users #5519

jacekbogdanski opened this issue May 1, 2024 · 9 comments
Labels
status:confirmed An issue confirmed by the development team.

Comments

@jacekbogdanski
Copy link
Member

As we approach the one-year anniversary of CKEditor 4 reaching its end of life, it's crucial to emphasize the importance of maintaining a secure software environment.

Starting July 1st, we'll activate security notifications for CKEditor 4. This change will impact the open-source version 4.22 and all earlier versions served via our CDN. These notifications will alert users and integrators to the presence of unsecured CKEditor 4 versions, which may be vulnerable to security threats. As of this writing, the latest secure version of CKEditor 4 is 4.24.0-lts. Applications using secure CKEditor 4 versions won’t be impacted by these notifications.
image
Our aim with this initiative is to raise awareness about the risks associated with using version 4.22 and below, which have known security vulnerabilities. We want to ensure all integrators are informed and able to make informed decisions about their next steps.

Options for Integrators

For integrators, we recognize that seeing these notifications may not always be ideal. Therefore, CKEditor 4 includes an option to disable these security notifications. However, while this may offer temporary relief, we strongly advise against continuing to use an unsecured version of CKEditor 4. Disabling notifications without addressing underlying security risks leaves your application exposed to potential threats.

For those interested in using the latest, secure version of CKEditor 4, reach out to us regarding obtaining a CKE 4 LTS license.

You may manually disable security notifications for the editor using the following configuration option: config.versionCheck

CKEDITOR.replace( 'editor', {
    // Disable security notifications.
    versionCheck: false
} );

We’ve prepared additional content to help you learn more about our Extended Support Model for CKEditor 4 and how we can help keep your application secure.

@jacekbogdanski jacekbogdanski pinned this issue May 1, 2024
@jacekbogdanski jacekbogdanski added the status:confirmed An issue confirmed by the development team. label May 1, 2024
@QMiqTx6DHn1bA9yaNaAbsD3CLG8gTmd4
Copy link

QMiqTx6DHn1bA9yaNaAbsD3CLG8gTmd4 commented Jul 3, 2024

This change will impact the open-source version 4.22 and all earlier versions served via our CDN

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

@gtbu
Copy link

gtbu commented Jul 16, 2024

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

@jacekbogdanski
Copy link
Member Author

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

@jacekbogdanski
Copy link
Member Author

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

I advise you to contact the CMS maintainer, we can't help much with the 3rd party software.

@gtbu
Copy link

gtbu commented Jul 17, 2024

I have now installed the full version under Typesetter 5.2/jquery 2.24 : I get here the error

[CKEDITOR] Error code: editor-plugin-deprecated. Object { plugin: "flash" } plugin: "flash"

: Object { … }
jquery.js:918:171
[CKEDITOR]
For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#editor-plugin-deprecated jquery.js:918:266
[CKEDITOR]: The license key is missing or invalid.

If you suddenly started to see this message, this may mean you accidentally updated CKEditor 4 to the LTS version (4.23.0 and above). This version of the editor is under commercial terms and requires acquiring an "Extended Support Model" contract - https://ckeditor.com/ckeditor-4-support/

For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#invalid-lts-license-key

So i must register - thats all : Versions from a CDN will not run at Typesetter. I would prefer a popup 'Please enter Your registration-key'

@EliezerB123
Copy link

EliezerB123 commented Jul 17, 2024

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

This could just as easily have been a console.error() message, instead of displaying a MASSIVE RED BOX in front of every users' face, that they need to close in order to complete their flow.

Both the notification itself, and the announcement, have between them a total of THREE separate URLs encouraging developers into buying your product or face the consequences.

(The fact that this notification isn't appearing on version 4.23.0-LTS, which is also insecure, speaks rather loudly.) While security is important, pretending this change was made out of thoughtfulness and the goodness of your heart, instead of an attempt to squeeze money out of users who aren't paying for LTS, is frankly a little bit gross.

@edpichler
Copy link

A dark pattern to force everybody to purchase the commercial version. We all know what you are doing. Disappointing.

@Ninjadigital8

This comment was marked as spam.

@jacekbogdanski
Copy link
Member Author

CKEditor 4 was sunsetted in June 2023. We used all the possible communication channels to notify everyone that the project would no longer be maintained.

The ckeditor.com website contained the information that CKEditor 4 is going EOL in 2023 starting from the end of 2019. When we got closer to the deadline, we sent an email to all newsletter subscribers, published a blog post in March 2023 and mentioned the end of life in the changelog file of CKEditor 4 in June 2023: https://github.com/ckeditor/ckeditor4/blob/master/CHANGES.md#ckeditor-4220--4221
In the same changelog file, we explained the editor will notify when it stops being secure (to protect users from integrators who forget to keep their systems up to date and safe).

Additionally, we updated the README file of the project as well as the description of the npm package to again increase the awareness that the project is no longer maintained and will become insecure sooner or later.

On May 1st, 2024, we announced through this issue and in our blog post here that security notifications will be enabled for CDN-based editor versions of CKEditor 4.

We did everything we could to reach out to all CKEditor 4 users with the information that they should migrate to another version of CKEditor, or switch to CKEditor 4 LTS.

As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it. There have been months/years to take appropriate actions and replace/upgrade CKEditor 4 that went out of support.

Moreover, you can continue using the open-source CKEditor 4.22.1 version, with the option to easily disable notifications through a simple configuration setting, if you are willing to take that risk, which we don't recommend.

(The fact that this notification isn't appearing on version 4.23.0-LTS, which is also insecure, speaks rather loudly.)

CKEditor 4 LTS requires an ESM contract, and we are confident that customers choosing to invest in this commitment understand the importance of maintaining the security of CKEditor 4. Additionally, we use various communication channels to keep our committed customers informed about critical updates and security measures.

@ckeditor ckeditor locked and limited conversation to collaborators Aug 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
status:confirmed An issue confirmed by the development team.
Projects
None yet
Development

No branches or pull requests

6 participants