Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                   CVE annoucements for Cordova-Android
                             26 November 2015


        AusCERT Security Bulletin Summary

Product:           Cordova-Android
Publisher:         The Apache Software Foundation
Operating System:  Android
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5257 CVE-2015-5256 

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE annoucements for Cordova-Android

By: Joe Bowser

20 Nov 2015

Two older vulerabilities were brought to our attention, and while we found 
that they were fixed in later versions of Cordova, we are required to announce
these vulnerabilities, and to encourage users to upgrade to a supported 
version of Cordova, the lowest stable version currently being Android 4.1.0. 
We are no longer supporting Cordova-Android 3.x due to security issues related
to the legacy whitelist implementation, and we recommend that users upgrade to
Cordova Android 5.0.x for Marshmallow support.

When using the Cordova CLI, the command to use 4.1.0 of Cordova Android is:

cordova platform add android@4.1.0

The security issues are CVE-2015-5256 and CVE-2015-5257

For your convenience, the text of the CVEs are included here.

CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist
restrictions on Android

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android 3.7.2 and earlier

Description: Android applications created using Apache Cordova that use a 
remote server contain a vulnerability where whitelist restrictions are not 
properly applied. Improperly crafted URIs could be used to circumvent the 
whitelist, allowing for the execution of non-whitelisted Javascript.

Upgrade path: Developers who are concerned about this should rebuild their 
applications with Cordova Android 4.1.1. Developers using remote content roots
should also use SSL, as well as Content Source Policy to further mitigate this

Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc

CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.6.4


Cordova uses a bridge that allows the Native Application to communicate with 
the HTML and Javascript that control the user interface. To protect this 
bridge on Android, the framework uses a BridgeSecret to protect it from 
third-party hijacking. However, the BridgeSecret is not sufficiently random 
and can be determined in certain scenarios.

Upgreade Path: Developers who are concerned about this issue should rebuild 
their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 
do not contain this vulnerability.

Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research 

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967