Return-Path: X-Original-To: apmail-cordova-dev-archive@www.apache.org Delivered-To: apmail-cordova-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4D47F1822B for ; Fri, 20 Nov 2015 19:40:05 +0000 (UTC) Received: (qmail 92784 invoked by uid 500); 20 Nov 2015 19:40:05 -0000 Delivered-To: apmail-cordova-dev-archive@cordova.apache.org Received: (qmail 92744 invoked by uid 500); 20 Nov 2015 19:40:05 -0000 Mailing-List: contact dev-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cordova.apache.org Delivered-To: mailing list dev@cordova.apache.org Received: (qmail 92723 invoked by uid 99); 20 Nov 2015 19:40:04 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Nov 2015 19:40:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 4BB52180AA3; Fri, 20 Nov 2015 19:40:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.898 X-Spam-Level: ** X-Spam-Status: No, score=2.898 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id AedbyH4F2UqS; Fri, 20 Nov 2015 19:40:03 +0000 (UTC) Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 5DEA42031C; Fri, 20 Nov 2015 19:40:03 +0000 (UTC) Received: by ioir85 with SMTP id r85so134258398ioi.1; Fri, 20 Nov 2015 11:39:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=kLHmiRZGe0Nt7OfAtt9WhZ5UwXmz5UqIQgqGOIflNmM=; b=E9aFnT2dG16NyRv22Sy41ce43IwFfYPbu1jcxzotKW4trsNdnOo4ocSm/hn08Pn+hT /z9uYR2Dt30VrbfHC9CVvP2qzoxdyhyI1t2PaQIhnIHQhPxwy1dMOdzNLVgVQZhmT7Fv Am9PX6uCcqcQ7gE4wUffx4BC5FnfN306aWUjTPTxcYWnie9yOntz3p4H/XNCJMpCyqxb mP7IaMRqSPHNNGvVTJu5Ot50XKtFzjV3Qd1M3ZcBHVvXf5jFgsMYdVkdVlBVHRJpYhLX nIJV5V0qczHBvEXitNhTU49xLnFGDkPlHWiC6LjizEH40+h9yd4TRf4TACqjzi17Z24Z jruA== MIME-Version: 1.0 X-Received: by 10.107.128.156 with SMTP id k28mr14864923ioi.26.1448048397005; Fri, 20 Nov 2015 11:39:57 -0800 (PST) Received: by 10.64.25.98 with HTTP; Fri, 20 Nov 2015 11:39:56 -0800 (PST) Date: Fri, 20 Nov 2015 11:39:56 -0800 Message-ID: Subject: CVE-2015-5257 - Weak Randomization of BridgeSecret for Apache Cordova Android From: Joe Bowser To: DAVIDKA@il.ibm.com, Roee Hay , "private@cordova.apache.org" , dev , "security@apache.org" , oss-security@lists.openwall.com, bugtraq@securityfocus.com Content-Type: multipart/alternative; boundary=001a113f8d1e525c5a0524fe0a53 --001a113f8d1e525c5a0524fe0a53 Content-Type: text/plain; charset=UTF-8 =================================================================== CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android Severity: Low Vendor: The Apache Software Foundation Versions Affected: Cordova Android versions up to and including 3.6.4 Description: Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios. Upgrade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Version 3.7.1 and later do not contain this vulnerability. Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team. --001a113f8d1e525c5a0524fe0a53--