PI53154: WEAK RANDOMIZATION OF BRIDGESECRET FOR APACHE CORDOVA ANDROID IS A VULNERABILITY

Fixes are available

IBM MobileFirst Platform Foundation Interim Fix README for 7.1
IBM MobileFirst Platform Foundation Interim Fix README for 7.0
IBM MobileFirst Platform Foundation Interim Fix README for 6.3

APAR status

Closed as program error.

Error description

Cordova uses a bridge that allows the Native Application to
communicate with the HTML and Javascript that control the user
interface. To protect this bridge on Android, the framework uses
a BridgeSecret to protect it from third-party hijacking.
However, the BridgeSecret is not sufficiently random and can be
determined in certain scenarios.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* Users who use versions 6.3, 7.0, and 7.1 of MobileFirst      *
* Platform Foundation applications for Android.                *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* The Cordova bridge is used as a communication channel for    *
* javascript and native, sending messages back and forth       *
* through the bridge. Cordova-android uses a BridgeSecret to   *
* protect its messages from third-party interference, however, *
* the way the BridgeSecret was implemented before does not use *
* a very secure way to randomize the BridgeSecret. The         *
* BridgeSecret could potentially be guessed and there lies the *
* vulnerability. The BridgeSecret now uses SecureRandom as a   *
* way to securely ensure that the BridgeSecret is truly        *
* randomized and it won't be easily guessed.                   *
****************************************************************
* RECOMMENDATION:                                              *
* -                                                            *
****************************************************************

Problem conclusion

After installing the iFix, please rebuild your application.

Temporary fix

Comments

APAR Information

APAR number
PI53154
Reported component name
MFPF/WORKLIGHT
Reported component ID
5725I4301
Reported release
505
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-11-25
Closed date
2015-12-11
Last modified date
2015-12-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
MFPF/WORKLIGHT
Fixed component ID
5725I4301

Applicable component levels

R630 PSY
UP
R700 PSY
UP
R710 PSY
UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"505","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
14 October 2021

Tips

PI53154: WEAK RANDOMIZATION OF BRIDGESECRET FOR APACHE CORDOVA ANDROID IS A VULNERABILITY

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R630 PSY

R700 PSY

R710 PSY

Document Information

Share your feedback

Need support?