cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fowler, Angela" <ange...@fast.au.fujitsu.com>
Subject RE: Apache Cordova 3.5.1
Date Tue, 26 Aug 2014 04:37:21 GMT
Hi,

Would anyone be able to tell me if there are release notes listing JIRA issues for 3.5.1?

The release notes were changed but seems to be just the 3.5.0 issues.
	https://github.com/apache/cordova-android/compare/3.5.0...3.5.1
	https://github.com/apache/cordova-android/commits/15056733932154c86e51739c2352a890b7d9dad1/RELEASENOTES.md

Also if possible, is there an estimate for the 3.6.0 release with whitelist changes?
 
Thanks
Angela
-----Original Message-----
From: Marcel Kinard [mailto:cmarcelk@gmail.com] 
Sent: Tuesday, 5 August 2014 9:09 AM
To: security@apache.org; oss-security@lists.openwall.com; bugtraq@securityfocus.com; dev@cordova.apache.org
Subject: Apache Cordova 3.5.1

Android Platform Release: 04 Aug 2014

Security issues were discovered in the Android platform of Cordova. We are releasing version
3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications
built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms
such as iOS are unaffected, and do not have an update.

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.

A blog post is available at http://cordova.apache.org/#news


CVE-2014-3500: Cordova cross-application scripting via Android intent URLs


Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can be launched through a special intent
URL. A specially-crafted URL could cause the Cordova-based application to start up with a
different start page than the developer intended, including other HTML content stored on the
Android device. This has been the case in all released versions of Cordova up to  3.5.0, and
has been fixed in the latest release (3.5.1). We recommend affected projects update their
applications to the latest release.

Upgrade path:
Developers who are concerned about this should rebuild their applications with Cordova Android
3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
All released Cordova Android versions

Description:
Android applications built with the Cordova framework use a WebView component to display content.
Cordova applications can specify a whitelist of URLs which the application will be allowed
to display, or to communicate with via XMLHttpRequest. This whitelist, however, is not used
by the WebView component when it is directed via JavaScript to communicate over non-http channels.

Specifically, it can be possible to open a WebSocket connection from the application JavaScript
which will connect to any reachable server on the Internet. If an attacker is able to execute
arbitrary JavaScript within the application, then that attacker can cause a connection to
be opened to any server, bypassing the HTTP whitelist.

This is a limitation of the hybrid app architecture on Android in general, and not specific
to Apache Cordova.

It is possible to mitigate this attack vector by adding a CSP meta tag to all HTML pages in
the application, to allow connections only to trusted sources.
App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk of XAS attacks
against their applications, which could then use this mechanism to reach unintended servers.
See CVE-2014-3500 for more information on a possible XAS vulnerability.

Upgrade path:
Developers who are concerned about this should rebuild their applications with Cordova Android
3.5.1, and consider adding CSP meta tags to their application HTML.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android intent URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can launch other applications through
the use of anchor tags, or by redirecting the webview to an Android intent URL. An attacker
who can manipulate the HTML content of a Cordova application can create links which open other
applications and send arbitrary data to those applications. An attacker who can run arbitrary
JavaScript code within the context of the Cordova application can also set the document location
to such a URL. By using this in concert with a second, vulnerable application, an attacker
might be able to use this method to send data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android intent urls, so
that they can no longer be used to start arbitrary applications on the device.

Upgrade path:
Developers who are concerned about this should rebuild their applications with Cordova Android
3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


Mime
View raw message