search

terl / lazysodium-android

An Android implementation of the Libsodium cryptography library. For the lazy dev.
https://github.com/terl/lazysodium-java/wiki
Mozilla Public License 2.0
108 stars 25 forks source link

JNA vulnerabilities #39

Closed malenalbc closed 3 years ago

malenalbc commented 4 years ago

Run Dependency Check plugin on my Android library which contains the Lazysodium and JNA dependencies (as stated in the Install section on the Readme):

    embed "com.goterl.lazycode:lazysodium-android:4.2.0@aar"
    embed 'net.java.dev.jna:jna:5.6.0@aar'

The plugin provides a report of vulnerabilities based on the National Vulnerability Database (NVD) hosted by NIST. Of the several issues it listed for JNA, two of them were a 10 on the CVSS score level.

jna-5.6.0.aar (pkg:maven/net.java.dev.jna/jna@5.6.0, cpe:2.3:a:sun:java:5.6.0:*:*:*:*:*:*:*, cpe:2.3:a:sun:java_se:5.6.0:*:*:*:*:*:*:*) : CVE-1999-0142, CVE-1999-0440, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1107, CVE-2009-2475, CVE-2009-2476, CVE-2009-2676, CVE-2009-2689, CVE-2009-2690, CVE-2009-2716, CVE-2009-2717, CVE-2009-2719, CVE-2009-2720

My question is: Do any of them affect the Android OS and could they be used to exploit a vulnerability on the use of Lazysodium?

Thanks!

gurpreet- commented 4 years ago

Wow thanks for raising this! Let me look into these right now...

gurpreet- commented 4 years ago

It's recommended to use JDK 1.8 or above with Lazysodium. You can set JDK 1.8 for both Java and Android now as far as I'm aware.

If there are any other CVEs you want me to look at then feel free to let me know!

malenalbc commented 4 years ago

Good to know! Yes, with Gradle 3.0.0+ it's fairly easy to set up. Thanks for taking a look 👍