CVE-2015-5257/CVE-2015-8320: Weak Randomization of BridgeSecret for Apache Cordova Android

As of November 25, 2015, this blog post acknowledges that IBM is aware that Cordova announced two CVEs for vulnerabilities on the Android platform. This post will focus on CVE-2015-5257. The other CVE is still being worked on.

Note: On some sites, this CVE may be referred to as CVE-2015-8320. Red Hat made a typo mistake in their CVE using the same number as Cordova, so Cordova’s CVE got pushed to to CVE-2015-8320.

https://cordova.apache.org/announcements/2015/11/20/security.html”>https://cordova.apache.org/announcements/2015/11/20/security.html

CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.6.4

Description:

Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.

Upgreade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability.

Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team</em>

Available iFixes

iFixes will be available shortly for MobileFirst Platform Foundation versions 6.3, 7.0, and 7.1. All of the other earlier versions of the product are unaffected.