Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2950
CVE annoucements for Cordova-Android
26 November 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cordova-Android
Publisher: The Apache Software Foundation
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-5257 CVE-2015-5256
Original Bulletin:
https://cordova.apache.org/announcements/2015/11/20/security.html
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE annoucements for Cordova-Android
By: Joe Bowser
20 Nov 2015
Two older vulerabilities were brought to our attention, and while we found
that they were fixed in later versions of Cordova, we are required to announce
these vulnerabilities, and to encourage users to upgrade to a supported
version of Cordova, the lowest stable version currently being Android 4.1.0.
We are no longer supporting Cordova-Android 3.x due to security issues related
to the legacy whitelist implementation, and we recommend that users upgrade to
Cordova Android 5.0.x for Marshmallow support.
When using the Cordova CLI, the command to use 4.1.0 of Cordova Android is:
cordova platform add android@4.1.0
The security issues are CVE-2015-5256 and CVE-2015-5257
For your convenience, the text of the CVEs are included here.
CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist
restrictions on Android
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android 3.7.2 and earlier
Description: Android applications created using Apache Cordova that use a
remote server contain a vulnerability where whitelist restrictions are not
properly applied. Improperly crafted URIs could be used to circumvent the
whitelist, allowing for the execution of non-whitelisted Javascript.
Upgrade path: Developers who are concerned about this should rebuild their
applications with Cordova Android 4.1.1. Developers using remote content roots
should also use SSL, as well as Content Source Policy to further mitigate this
issue.
Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android versions up to 3.6.4
Description:
Cordova uses a bridge that allows the Native Application to communicate with
the HTML and Javascript that control the user interface. To protect this
bridge on Android, the framework uses a BridgeSecret to protect it from
third-party hijacking. However, the BridgeSecret is not sufficiently random
and can be determined in certain scenarios.
Upgreade Path: Developers who are concerned about this issue should rebuild
their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4
do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research
Team
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVlafgn6ZAP0PgtI9AQJMmRAAtnQxZRSAPdlaR6d8RfJMU9fPk46vq6D5
8NbWN/wXv0gZxXSdOekAu6RlpKxwwuenXgvbTq/pFdGGk7MTHWDGA2gxbC8MoMMq
ITJ92V4oa8q9CluUJC1he5G6VFMWQe6mD4O5WU7qmSRV1vkvbeyLOQZCIlWjMdVx
eS8nc4BR41CnmbmdHM39mMd1UAdxh62CqBGXlD5CE7zDeACTG0vz32GdOwKXQQBX
QXqTB4Usl/JoAwOcClw1obBs7/CJT2pR/Z6PE32Vfcu8K7kOfDfIEyyUkXQfehY2
COK/xwRArKRm61pnNFUyEiWftT/ud4VBfSPk4VBtrA6BctCrUAnnspxoTcX7cthS
DRQ/fkq5F5acpbhZ7MakBUVVsIDFfW2RpTdfz49awD9k+ioEflRw29DsmhcpXEbW
3Z1cCpC8DvBQTMLPRXcTwIY4XTmvmzKChYEL2Q4BV+bgMDj1GS/tAv+1Y4XP0WJ6
LitRZdli/emRxsB0fFiHFzEfddVI1mJPikVqtYxBxDdJG2sbStMMfcC6P5u/kwrN
HG6oJGbSHKfiIsHjOPCMxszVdR4BRgLH5ghCzUylHwjI0RGGIx0GvIe98H7NLf2u
dmfEEItRhl7gNRTA6RYkvM8hmmIUIvMtFPLHDRfaErc4XnfF+vOuhiiBvJBgJvOT
cT+AT6xPZVs=
=pJKB
-----END PGP SIGNATURE-----