PI21530: SECURITY VULNERABILITY WITH CORDOVA ON ANDROID

Download for IBM Worklight V6.1.0 Fix Pack 2
Download for IBM Worklight V6.2.0 Fix Pack 1
IBM Worklight Interim Fix README for 6.0.0.2

APAR status

• Closed as program error.

Error description

• An exploitable security vulnerability exists in Cordova
  applications running on Android.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * End users of Worklight applications running on Android       *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * Hybrid or web based Android applications that were built     *
  * using the Cordova library at version 3.5 and below are       *
  * subject to a security exploit where an end user's private    *
  * data can be sent to a third party server. The exploit relies *
  * on stringing together a series of smaller vulnerabilities,   *
  * all of which have been fixed in Cordova versions 3.5 and     *
  * above. A summary of the attack is as follows:                *
  * 1. User visits a malicious website on the device's browser,  *
  * which secretly downloads a remote file                       *
  * 2. The malicious website opens a Cordova based application   *
  * targeting the malicious page                                 *
  * 3. The malicious page has full access to the Cordova APIs    *
  * and can steal and exfiltrate data                            *
  * Please see                                                   *
  * https://www.ibm.com/developerworks/community/blogs/worklight *
  * /entry/action_required_cordova_android_security_update?lang= *
  * en                                                           *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * -                                                            *
  ****************************************************************
  

Problem conclusion

• The issue was resolved in Cordova by ensuring that only the
  developer selected start page is used to start a Cordova app,
  thus preventing unauthorized access to the Cordova APIs.
  Technically this meant that Android intents can no longer
  specify the start and error pages of a Cordova application,
  however, this feature was never really supported or used in the
  first place. There were also improvements to the whitelist to
  prevent exfiltration of data, although exfiltration can only
  occur now if a user installs an already-compromised Cordova
  application. Finally, documentation was added to the open source
  community around using Content Security Policy to further secure
  applications. The fix can be applied by adding the ifix, and
  removing and then readding the Android environment to the
  Worklight project.
  
  
  Because the Cordova project does not backport fixes, we
  backported all of these changes to the various IBM-maintained
  Cordova Extended Support Release streams.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WORKLIGHT CONSU

• Fixed component ID

  5725I4301

Applicable component levels

• R505 PSY

     UP

• R506 PSY

     UP

• R600 PSY

     UP

• R610 PSY

     UP

• R620 PSY

     UP

• R630 PSY

     UP