2017-01-27-android-612.md 1.7 KB


layout: post author:

name: Steve Gill
url: https://twitter.com/stevesgill

title: "Apache Cordova Android 6.1.2 Released" categories: announcements

tags: news releases security

A Security issue was discovered incordova-android. We are releasing cordova-android@6.1.2 to address this security issue. We recommend that all Android applications built using cordova-android be upgraded to use version 6.1.2. Other Cordova platforms such as iOS are unaffected, and do not have an update.

When using the Cordova CLI, update with the following command:

cordova platform update android@6.1.2

The security issue is CVE-2017-3160

For your convenience, the text of this CVE is included here.


CVE-2017-3160: Gradle Distribution URL used by Cordova-Android does not use https by default

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android (6.1.1 and below)

Description: After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched.

Upgrade path: Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android.

Mitigation Steps: If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

Credit: Alon Galili