IBM Support

PI75787: CVE-2017-3160: GRADLE DISTRIBUTION URL USED BY CORDOVA-ANDROID DOES NOT USE HTTPS BY DEFAULT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Starting in cordova-android 5.0.0, cordova-android started
setting the Gradle distribution URL as part of the initial
platform set up. This distribution URL is the location to fetch
Gradle from. The URL that Cordova uses as default contains the
http protocol. This is unsafe and can be the subject of "man in
the middle attacks". Cordova should use the https URL instead.

Local fix

  • Set environment variable CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL
to the https distribution URL of your choice.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* Users creating cordova android apps with cordova version 5.0 *
* and above and below version 6.1.2.                           *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* The URL that cordova-android uses to pull Gradle is an http  *
* URL. This is not safe and is susceptible to man in the       *
* middle attacks, so cordova-android changed the URL to https. *
* The fix is in cordova-android 6.1.2, so everyone should      *
* upgrade to this version of cordova-android. If you are not   *
* building with gradle or using a version of cordova-android   *
* pre-5.0, you don't have to worry about it since the affected *
* code is not there.                                           *
****************************************************************
* RECOMMENDATION:                                              *
* -                                                            *
****************************************************************

Problem conclusion

  • The minimum version of cordova-android that the plugin uses has
been bumped up to 6.1.2

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI75787
    • 

  • Reported component name
    MOBILE1ST PLATF
    • 

  • Reported component ID
    5725I4301
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-01-31
    • 

  • Closed date
    2017-04-24
    • 

  • Last modified date
    2017-04-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MOBILE1ST PLATF
    • 

  • Fixed component ID
    5725I4301
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 April 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback