react-native-code-push icon indicating copy to clipboard operation
react-native-code-push copied to clipboard
verified publisher icon microsoft

Security vulnerability due to using com.nimbusds:nimbus-jose-jwt:5.1

Open ganesh-papola opened this issue 2 years ago • 6 comments

Steps to Reproduce We have got a security warning flagged by NowSecure, our mobile security scanner. The test looks in the decompiled code of the binary for instances of static strings being used as cryptographic seeds. It advised us that code in our app is using a hardcoded byte array as a seed value for encryption. It traced this hardcoded byte array to com.nimbusds:nimbus-jose-jwt:5.1, (see stack trace below) which we traced to this library

react-native-code-push/android/app/build.gradle

Line 30 in b9fb9fb

implementation 'com.nimbusds:nimbus-jose-jwt:5.1'

Expected Behavior When initializing encryption, do not use a hardcoded byte array as a seed value. Instead, consider using dynamic values such as SecureRandom in order to create a secure initialization of the cryptography. The Findings Evidence table provides the instances where a hardcoded value was used.

see Android Developer Guidance and Code Samples for Secure Cryptography https://developer.android.com/guide/topics/security/cryptography

A suggested fix might be to use a different library or encourage nimbus to change how they are seeding encryption.

Actual Behavior The application is using static values as seeds for encryption. This means that any attacker who sees those static seeds will be able to easily decrypt that data. If the data being encrypted is sensitive information, the attacker will be able to see and exploit the information.

STACK TRACE AND/OR SCREENSHOTS { "location": "Lcom/nimbusds/jose/crypto/AESGCMKW;,decryptCEK,(Ljavax/crypto/SecretKey;[BLcom/nimbusds/jose/crypto/AuthenticatedCipherText;ILjava/security/Provider;)Ljavax/crypto/SecretKey;", "hardcoded_value": "Lcom/nimbusds/jose/crypto/AESGCM;,decrypt,(Ljavax/crypto/SecretKey;[B[B[B[BLjava/security/Provider;)[B", "instance_type": "Ljavax/crypto/spec/SecretKeySpec;" }

Environment react-native-code-push version: 7.0.3 react-native version: 0.64.2 iOS/Android/Windows version: android 29 Does this reproduce on a debug build or release build?: release Does this reproduce on a simulator, or only on a physical device?: both (The more info the faster we will be able to address it!)

ganesh-papola avatar Jun 12 '23 06:06 ganesh-papola

This was reported before, but it was closed:

https://github.com/microsoft/react-native-code-push/issues/2147

nikolal avatar Jul 03 '23 07:07 nikolal

It was only closed because no-one fixed it.

tmianhill avatar Jul 12 '23 15:07 tmianhill

Still facing this issue.

Environment react-native-code-push version: 6.2.1 react-native version: 0.63.4 version: android 29

I also tried upgrading nimbusds to 9.8.1 which is latest version using patch-package. it did not help.

MOBSF Error:

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.

Priority : high

CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3

com/nimbusds/jose/crypto/AESCBC.java com/nimbusds/jose/jca/JCASupport.java

gbashish12556 avatar Jul 18 '23 11:07 gbashish12556

Any plans from @msftgits to fix it?

kennethnokman avatar Nov 13 '23 10:11 kennethnokman

I will bump this again so it's not auto-closed since it's seems to me it is important to fix.

nikolal avatar Jan 19 '24 14:01 nikolal

Hello, @gbashish12556, I see that the latest version of nimbus-jose-jwt is 9.37.3. Did you have a chance to try upgrade on this version?

AnatolyPristensky avatar Jan 30 '24 11:01 AnatolyPristensky

It was fixed in the latest release (v8.2.2).

DmitriyKirakosyan avatar Apr 17 '24 07:04 DmitriyKirakosyan