Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <C8EB6016-EA76-4539-8BF9-653A912055D4@gmail.com>
Date: Mon, 4 Aug 2014 19:08:57 -0400
From: Marcel Kinard <cmarcelk@...il.com>
To: security@...che.org,
 oss-security@...ts.openwall.com,
 bugtraq@...urityfocus.com,
 dev@...dova.apache.org
Subject: Apache Cordova 3.5.1

Android Platform Release: 04 Aug 2014

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.

A blog post is available at http://cordova.apache.org/#news


CVE-2014-3500: Cordova cross-application scripting via Android intent URLs


Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can be launched through
a special intent URL. A specially-crafted URL could cause the Cordova-based
application to start up with a different start page than the developer
intended, including other HTML content stored on the Android device. This has
been the case in all released versions of Cordova up to  3.5.0, and has been
fixed in the latest release (3.5.1). We recommend affected projects update
their applications to the latest release.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
All released Cordova Android versions

Description:
Android applications built with the Cordova framework use a WebView component
to display content. Cordova applications can specify a whitelist of URLs which
the application will be allowed to display, or to communicate with via
XMLHttpRequest. This whitelist, however, is not used by the WebView component
when it is directed via JavaScript to communicate over non-http channels.

Specifically, it can be possible to open a WebSocket connection from the
application JavaScript which will connect to any reachable server on the
Internet. If an attacker is able to execute arbitrary JavaScript within the
application, then that attacker can cause a connection to be opened to any
server, bypassing the HTTP whitelist.

This is a limitation of the hybrid app architecture on Android in general, and
not specific to Apache Cordova.

It is possible to mitigate this attack vector by adding a CSP meta tag to all
HTML pages in the application, to allow connections only to trusted sources.
App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk
of XAS attacks against their applications, which could then use this mechanism
to reach unintended servers. See CVE-2014-3500 for more information on a
possible XAS vulnerability.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1, and consider adding CSP meta tags to their application
HTML.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
intent URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can launch other
applications through the use of anchor tags, or by redirecting the webview to
an Android intent URL. An attacker who can manipulate the HTML content of a
Cordova application can create links which open other applications and send
arbitrary data to those applications. An attacker who can run arbitrary
JavaScript code within the context of the Cordova application can also set the
document location to such a URL. By using this in concert with a second,
vulnerable application, an attacker might be able to use this method to send
data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android
intent urls, so that they can no longer be used to start arbitrary applications
on the device.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.