Important update for CKEditor 4 Users

[jacekbogdanski]

As we approach the one-year anniversary of CKEditor 4 reaching its end of life, it's crucial to emphasize the importance of maintaining a secure software environment.

Starting July 1st, we'll activate security notifications for CKEditor 4. This change will impact the open-source version 4.22 and all earlier versions served via our CDN. These notifications will alert users and integrators to the presence of unsecured CKEditor 4 versions, which may be vulnerable to security threats. As of this writing, the latest secure version of CKEditor 4 is 4.24.0-lts. Applications using secure CKEditor 4 versions won’t be impacted by these notifications.

Our aim with this initiative is to raise awareness about the risks associated with using version 4.22 and below, which have known security vulnerabilities. We want to ensure all integrators are informed and able to make informed decisions about their next steps.

Options for Integrators

For integrators, we recognize that seeing these notifications may not always be ideal. Therefore, CKEditor 4 includes an option to disable these security notifications. However, while this may offer temporary relief, we strongly advise against continuing to use an unsecured version of CKEditor 4. Disabling notifications without addressing underlying security risks leaves your application exposed to potential threats.

For those interested in using the latest, secure version of CKEditor 4, reach out to us regarding obtaining a CKE 4 LTS license.

You may manually disable security notifications for the editor using the following configuration option: config.versionCheck

CKEDITOR.replace( 'editor', {
    // Disable security notifications.
    versionCheck: false
} );

We’ve prepared additional content to help you learn more about our Extended Support Model for CKEditor 4 and how we can help keep your application secure.

[QMiqTx6DHn1bA9yaNaAbsD3CLG8gTmd4]

This change will impact the open-source version 4.22 and all earlier versions served via our CDN

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

[gtbu]

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

[jacekbogdanski]

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

[jacekbogdanski]

Well - if i generate version 4.24.0-LTS from my built-config.js of Typesetter CMS - the downloaded version doesnt come up (4.22.1 does !) - what can be the reason ? I get some inner errors of the ckeditor.js in firefox-debugger....

I advise you to contact the CMS maintainer, we can't help much with the 3rd party software.

[gtbu]

I have now installed the full version under Typesetter 5.2/jquery 2.24 : I get here the error

[CKEDITOR] Error code: editor-plugin-deprecated. Object { plugin: "flash" } plugin: "flash"
​
: Object { … }
jquery.js:918:171
[CKEDITOR]
For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#editor-plugin-deprecated jquery.js:918:266
[CKEDITOR]: The license key is missing or invalid.

If you suddenly started to see this message, this may mean you accidentally updated CKEditor 4 to the LTS version (4.23.0 and above). This version of the editor is under commercial terms and requires acquiring an "Extended Support Model" contract - https://ckeditor.com/ckeditor-4-support/

For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#invalid-lts-license-key

So i must register - thats all : Versions from a CDN will not run at Typesetter. I would prefer a popup 'Please enter Your registration-key'

[EliezerB123]

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?

The only solution for that issue that I'm aware of is recreating an SRI hash. That's not a perfect scenario but the information about the CDN update has been available long before notification has been introduced to CDNs. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it.

This could just as easily have been a console.error() message, instead of displaying a MASSIVE RED BOX in front of every users' face, that they need to close in order to complete their flow.

Both the notification itself, and the announcement, have between them a total of THREE separate URLs encouraging developers into buying your product or face the consequences.

(The fact that this notification isn't appearing on version 4.23.0-LTS, which is also insecure, speaks rather loudly.) While security is important, pretending this change was made out of thoughtfulness and the goodness of your heart, instead of an attempt to squeeze money out of users who aren't paying for LTS, is frankly a little bit gross.

[edpichler]

A dark pattern to force everybody to purchase the commercial version. We all know what you are doing. Disappointing.

[jacekbogdanski]

CKEditor 4 was sunsetted in June 2023. We used all the possible communication channels to notify everyone that the project would no longer be maintained.

The ckeditor.com website contained the information that CKEditor 4 is going EOL in 2023 starting from the end of 2019. When we got closer to the deadline, we sent an email to all newsletter subscribers, published a blog post in March 2023 and mentioned the end of life in the changelog file of CKEditor 4 in June 2023: https://github.com/ckeditor/ckeditor4/blob/master/CHANGES.md#ckeditor-4220--4221
In the same changelog file, we explained the editor will notify when it stops being secure (to protect users from integrators who forget to keep their systems up to date and safe).

Additionally, we updated the README file of the project as well as the description of the npm package to again increase the awareness that the project is no longer maintained and will become insecure sooner or later.

On May 1st, 2024, we announced through this issue and in our blog post here that security notifications will be enabled for CDN-based editor versions of CKEditor 4.

We did everything we could to reach out to all CKEditor 4 users with the information that they should migrate to another version of CKEditor, or switch to CKEditor 4 LTS.

As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it. There have been months/years to take appropriate actions and replace/upgrade CKEditor 4 that went out of support.

Moreover, you can continue using the open-source CKEditor 4.22.1 version, with the option to easily disable notifications through a simple configuration setting, if you are willing to take that risk, which we don't recommend.

(The fact that this notification isn't appearing on version 4.23.0-LTS, which is also insecure, speaks rather loudly.)

CKEditor 4 LTS requires an ESM contract, and we are confident that customers choosing to invest in this commitment understand the importance of maintaining the security of CKEditor 4. Additionally, we use various communication channels to keep our committed customers informed about critical updates and security measures.