Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2950 CVE annoucements for Cordova-Android 26 November 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cordova-Android Publisher: The Apache Software Foundation Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5257 CVE-2015-5256 Original Bulletin: https://cordova.apache.org/announcements/2015/11/20/security.html - --------------------------BEGIN INCLUDED TEXT-------------------- CVE annoucements for Cordova-Android By: Joe Bowser 20 Nov 2015 Two older vulerabilities were brought to our attention, and while we found that they were fixed in later versions of Cordova, we are required to announce these vulnerabilities, and to encourage users to upgrade to a supported version of Cordova, the lowest stable version currently being Android 4.1.0. We are no longer supporting Cordova-Android 3.x due to security issues related to the legacy whitelist implementation, and we recommend that users upgrade to Cordova Android 5.0.x for Marshmallow support. When using the Cordova CLI, the command to use 4.1.0 of Cordova Android is: cordova platform add android@4.1.0 The security issues are CVE-2015-5256 and CVE-2015-5257 For your convenience, the text of the CVEs are included here. CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions on Android Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Cordova Android 3.7.2 and earlier Description: Android applications created using Apache Cordova that use a remote server contain a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 4.1.1. Developers using remote content roots should also use SSL, as well as Content Source Policy to further mitigate this issue. Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android Severity: Low Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to 3.6.4 Description: Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios. Upgreade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability. Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVlafgn6ZAP0PgtI9AQJMmRAAtnQxZRSAPdlaR6d8RfJMU9fPk46vq6D5 8NbWN/wXv0gZxXSdOekAu6RlpKxwwuenXgvbTq/pFdGGk7MTHWDGA2gxbC8MoMMq ITJ92V4oa8q9CluUJC1he5G6VFMWQe6mD4O5WU7qmSRV1vkvbeyLOQZCIlWjMdVx eS8nc4BR41CnmbmdHM39mMd1UAdxh62CqBGXlD5CE7zDeACTG0vz32GdOwKXQQBX QXqTB4Usl/JoAwOcClw1obBs7/CJT2pR/Z6PE32Vfcu8K7kOfDfIEyyUkXQfehY2 COK/xwRArKRm61pnNFUyEiWftT/ud4VBfSPk4VBtrA6BctCrUAnnspxoTcX7cthS DRQ/fkq5F5acpbhZ7MakBUVVsIDFfW2RpTdfz49awD9k+ioEflRw29DsmhcpXEbW 3Z1cCpC8DvBQTMLPRXcTwIY4XTmvmzKChYEL2Q4BV+bgMDj1GS/tAv+1Y4XP0WJ6 LitRZdli/emRxsB0fFiHFzEfddVI1mJPikVqtYxBxDdJG2sbStMMfcC6P5u/kwrN HG6oJGbSHKfiIsHjOPCMxszVdR4BRgLH5ghCzUylHwjI0RGGIx0GvIe98H7NLf2u dmfEEItRhl7gNRTA6RYkvM8hmmIUIvMtFPLHDRfaErc4XnfF+vOuhiiBvJBgJvOT cT+AT6xPZVs= =pJKB -----END PGP SIGNATURE-----