AzureAD
Exclude nimbus classes JCASupport and AESCBC using proGuard, Fixes AB#3042434
https://portal.microsofticm.com/imp/v5/incidents/details/543093195/summary https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/2164 Couple of customers have reported vulnerabilities on the nimbus lib using MobSF. The vulnerabilities are:
WE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3
com/nimbusds/jose/crypto/AESCBC.java
com/nimbusds/jose/jca/JCASupport.java
Nimbus already fix the padding issue, see https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/516/insecure-encryption-mode-cbc-with-pkcs5 But they keep these libraries because the AES/CBC/HMAC mode is a current JOSE standard and as such it will be supported by the nimbus-jose-jwt lib, see https://datatracker.ietf.org/doc/html/rfc7519#section-8 So, they won't fix.
With this change we attempt to exclude these classes using ProGuard to exclude these classes. Right now, we do not have MobSF setup to validate if this will work. AB#3042434
✅ Work item link check complete. Description contains link AB#3042434 to an Azure Boards work item.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Should we
- validate with MobSF ourselves before shipping/closing this or
- Generate a private build for customer to validate
?
Scan msal 5.7.0 using latest mobsf and there is no nimbus vulnerability with high risk, I will close this now and re-evaluate if needed. msal5.7.0-mobsf-report.pdf