Security vulnerability due to using com.nimbusds:nimbus-jose-jwt:5.1

[ganesh-papola]

Steps to Reproduce
We have got a security warning flagged by NowSecure, our mobile security scanner. The test looks in the decompiled code of the binary for instances of static strings being used as cryptographic seeds. It advised us that code in our app is using a hardcoded byte array as a seed value for encryption. It traced this hardcoded byte array to com.nimbusds:nimbus-jose-jwt:5.1, (see stack trace below) which we traced to this library

react-native-code-push/android/app/build.gradle

Line 30 in b9fb9fb

implementation 'com.nimbusds:nimbus-jose-jwt:5.1'

Expected Behavior
When initializing encryption, do not use a hardcoded byte array as a seed value. Instead, consider using dynamic values such as SecureRandom in order to create a secure initialization of the cryptography. The Findings Evidence table provides the instances where a hardcoded value was used.

see Android Developer Guidance and Code Samples for Secure Cryptography https://developer.android.com/guide/topics/security/cryptography

A suggested fix might be to use a different library or encourage nimbus to change how they are seeding encryption.

Actual Behavior
The application is using static values as seeds for encryption. This means that any attacker who sees those static seeds will be able to easily decrypt that data. If the data being encrypted is sensitive information, the attacker will be able to see and exploit the information.

STACK TRACE AND/OR SCREENSHOTS
{
"location": "Lcom/nimbusds/jose/crypto/AESGCMKW;,decryptCEK,(Ljavax/crypto/SecretKey;[BLcom/nimbusds/jose/crypto/AuthenticatedCipherText;ILjava/security/Provider;)Ljavax/crypto/SecretKey;",
"hardcoded_value": "Lcom/nimbusds/jose/crypto/AESGCM;,decrypt,(Ljavax/crypto/SecretKey;[B[B[B[BLjava/security/Provider;)[B",
"instance_type": "Ljavax/crypto/spec/SecretKeySpec;"
}

Environment
react-native-code-push version: 7.0.3
react-native version: 0.64.2
iOS/Android/Windows version: android 29
Does this reproduce on a debug build or release build?: release
Does this reproduce on a simulator, or only on a physical device?: both
(The more info the faster we will be able to address it!)

[nikolal]

This was reported before, but it was closed:

#2147

[tmianhill]

It was only closed because no-one fixed it.

[gbashish12556]

Still facing this issue.

Environment
react-native-code-push version: 6.2.1
react-native version: 0.63.4
version: android 29

I also tried upgrading nimbusds to 9.8.1 which is latest version using patch-package. it did not help.

MOBSF Error:

The App uses the encryption mode
CBC with PKCS5/PKCS7 padding. This
configuration is vulnerable to
padding oracle attacks.

Priority : high

CWE: CWE-649: Reliance on Obfuscation or
Encryption of Security-Relevant Inputs without
Integrity Checking
OWASP Top 10: M5: Insufficient Cryptography
OWASP MASVS: MSTG-CRYPTO-3

com/nimbusds/jose/crypto/AESCBC.java
com/nimbusds/jose/jca/JCASupport.java

[kennethnokman]

Any plans from @msftgits to fix it?

[nikolal]

I will bump this again so it's not auto-closed since it's seems to me it is important to fix.

[AnatolyPristensky]

Hello, @gbashish12556, I see that the latest version of nimbus-jose-jwt is 9.37.3. Did you have a chance to try upgrade on this version?

[DmitriyKirakosyan]

It was fixed in the latest release (v8.2.2).