CVE-2015-5257/CVE-2015-8320: Weak Randomization of BridgeSecret for Apache Cordova Android
As of November 25, 2015, this blog post acknowledges that IBM is aware that Cordova announced two CVEs for vulnerabilities on the Android platform. This post will focus on CVE-2015-5257. The other CVE is still being worked on.
Note: On some sites, this CVE may be referred to as CVE-2015-8320. Red Hat made a typo mistake in their CVE using the same number as Cordova, so Cordova’s CVE got pushed to to CVE-2015-8320.
CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android versions up to 3.6.4
Upgreade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability.
Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team</em>
iFixes will be available shortly for MobileFirst Platform Foundation versions 6.3, 7.0, and 7.1. All of the other earlier versions of the product are unaffected.
Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.