CKEditor 4.22.1 and Concrete CMS Security Updates

On February 7th, 2024, we received a bug report that the rich text editor in Concrete CMS 8 and 9 was displaying a strange and alarming warning:

This warning states “This CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts.”

Naturally, this has prompted concern and confusion from our customers and members in our community, and I feel it’s important to address it. Here’s what I know about this, what caused it, what it’s regarding specifically, our plans to address it and how we’re planning to move forward.

Before I delve more deeply into this, let me summarize: rest easy that your site is NOT affected by the CKEditor vulnerabilities UNLESS you enabled the preview CKEditor plugin which Concrete CMS disables by default. Concrete 8.5.14 and 9.2.6 will ensure that no Concrete CMS users are affected.

The Cause

Concrete CMS uses CKEditor 4 as its rich text editor. As of Concrete CMS 8.5.13 and 9.2.5, the underlying CKEditor library has been updated to the latest version possible, version 4.22.1. As CKEditor has stated, this is the latest version of the editor that will be released. All subsequent versions of CKEditor 4 will be released under their LTS license. CKEditor 4 LTS is a commercial product, and therefore cannot be included with Concrete CMS.

On February 7, CKEditor released 4.24.0 LTS, which fixed several security issues. When this occurred, their system marked version 4.22.1 as insecure. Version 4.22.1 apparently has a version check routine where it checks itself against a centralized CKEditor database. When it did so, and learned that CKEditor considered this version insecure, the security warning text was retrieved and displayed. This was not a message we had ever seen; since it hadn’t been used prior to February 7, 2024.

Immediate Fixes

First - it should be noted that as of this writing you will not have to employ any of these options to get rid of this notice. It should already be gone, because it is triggered externally from CKEditor and they have disabled the notice. They may re-enable it in several weeks, however, so it would be good to act on this eventually.

If you do see this message on any of your sites, there are several ways you can remove it:

  1. You can modify your site’s configuration to add the versionCheck CKEditor configuration value to the editor, as described this message: This CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts. · Issue #11931 · concretecms/concretecms · GitHub
  2. You can upgrade to Concrete CMS 9.2.6 and 8.5.15 – both of which have just been released and are available from Download :: Concrete CMS - Org

In doing so, you will be fixing the issue by disabling the versionCheck routine that CKEditor added to their own routine. This will ensure that the message no longer displays.

Additionally, CKEditor has also temporarily halted this display of this message in their system – so you may not have even seen it. More information about this – along with our message to them – can be found here: Obnoxious interstitial "security notice" obscures the editor · Issue #15811 · ckeditor/ckeditor5 · GitHub

Security Concerns

While much of this post is concerned with hiding the heavy-handed security message being pushed into the rich text editor, it would be irresponsible not to address and understand the issues that 4.24.0 is meant to solve. 4.24.0 fixes the following vulnerabilities

  1. Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See GHA for more details.
  2. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See GHA for more details.
  3. Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See GHA for more details.

Issue 1 requires the full page editing feature, which Concrete CMS does not use and does not support. Issue 2 requires the use of certain old files in a samples subdirectory. Concrete does include these files - they will be removed in Concrete CMS 9.2.6 and 8.5.15. Finally, issue 3 requires the use of the samples directory – removed in 9.2.6 and 8.5.15 – along with the use of the preview CKEditor plugin, which Concrete does ship but which is not enabled by default.

Summary: these issues, while valid, do not materially compromise a standard Concrete site.

Ongoing Concerns

Not everything about this situation is resolved, and we have ongoing concerns. Namely, I find it highly suspect that the behavior of our rich text editor can be changed by external processes, as was the case with this notification. We will continue to monitor this situation.

As mentioned in this message, CKEditor will be turning this message back on in several months, so it is advisable to adopt these upgrades in the interim to ensure that it does not display on your Concrete sites when they do so.

Regarding the updating of CKEditor in a more fundamental way: CKEditor is aggressively pushing their commercial LTS offering as a solution, but that’s clearly something we cannot adopt in the free core of Concrete CMS. CKEditor 5 is no longer licensed under the LGPL, and has no alternative license available that will allow it to be cleanly shipped with our software, which adopts the permissive and comparatively easy-to-understand MIT license. Talks with CKEditor to obtain a license for CKEditor 5 have also stalled, and we are actively exploring alternatives. We will continue to provide safe, secure tools for use with editing your websites, just as we always have.

9 Likes

Thanks for the exhaustive description of the problem, @andrew !

Talks with CKEditor to obtain a license for CKEditor 5 have also stalled

Could you explain this sentence a bit more?
Did you write them but still haven’t received a feedback?
Or they are pushing for being somehow paid?

You’re welcome!

Could you explain this sentence a bit more?
Did you write them but still haven’t received a feedback?
Or they are pushing for being somehow paid?

@frz will have to weigh in on this one.

We did have several conversations.
Seemed that some people there wanted to make something happen to begin with, and we were even open to being told what v4 LTE support would cost. In the end there wasn’t any way they were going to allow us to release it under a permissive open source license, and the contract they wanted us to sign was unacceptable in a few ways I won’t bother getting into.

tl:dr> new ownership, they need to make more money. Good luck to them!

For us, we’ll have to find or make something new with Concrete v10. I’ve long been wishing for an editor with fewer controls that integrated better into our editing experience. I think images and tables could be better handled with one off blocks, and something that was more in-context and more default as part of the page for text with markdown level formatting would do the job nicely. Who needs all those toolbars in 2024 anyway?

Mitigating future weird decisions from CKEditor v4 that is already out there in Concrete v8 and v9 will be a challenge. They seemed pretty clear about their intentions on the call I had with them, and forcing a totally over zealous warning message in the hopes to get paid doesn’t shock me. As Andy pointed out they make it clear they plan on turning it back on again one day…

Wouldn’t shock me if someone forked that project, turned off 70% of the toolbars and just kept it alive for a while.

2 Likes

Thanks very much, very good to see dealing so well and quickly with the situation

I’m enjoying working with Summernote if that’s something worth looking into. My fear in building something from scratch is the UX will be so unfamiliar that training becomes expensive.

It’s such a shame CKEditor isn’t more willing to work with open source projects, or even with reasonable prices. I’d be interested in using version 5 in some of my closed-source projects, but I’ve read the licensing costs are just unreasonable and I’m either sticking to version 4, or using other editors.

Some thoughts on editors in general:

  • I developed a ‘Table’ block for Concrete once, it was/is quite useful. But it’s all the ad-hoc little tasks that trip things up - being able to merge cells, format cells differently, maybe add some sizings to columns… trying to handle all that in a dedicated block can be really tricky, and that’s where CKEditor (and the ability to still jump into HTML mode) can often still be the better solution.
  • If I look at the default set of buttons Concrete enables for CKEditor, I’d say there’s really only a few that I’d actually be comfortable with being removed. Nearly all of the buttons are essential at times, or at least need to be able to be turned on. Some of our clients need to enter in dimensions, or more technical information, for example.
  • From looking at many editors, if CKEditor was to be switched out, I’d say that Summernote and Jodit are the two to consider first, as they both are under MIT licence and appear to be maintained. The critical thing is going to be configurability and how easy it is to extend with plugins (for file manager and sitemap functionality in particular). Jodit is a newer one for me, but it looks like they’ve got an better balance between offering the editor under MIT as well as a commercial license with ‘pro’ add-ons.
3 Likes

Thanks for these suggestions!

1 Like

I for one really love all the features CKEditor brings to the table, and this looks to have so much of that absent. I don’t know what to recommend, or what my preference is. But in addition to the licensing aspect, I would think it prudent to do feature comparison in the decision of where this topic is heading.

There are lot of CKEditor plugins I like to use, turn on, and all that, within the Concrete CMS ecosystem. So losing a lot of that functionality, I would not be so keen about that. But again, I don’t know what to actually recommend.

I have seen this happen with 9.3.7 (the client sent me a screen shot) so there appears to be something else going on under the hood.