1

I have an app published on Google Play and I received an email saying that my app have an issue with Cordova version and OpenSSL version. I downloaded and applied a fix on my app for WorkLight 6.0.2 and rebuild and redeployed to Google Store. The Cordova warning stopped, but the OpenSSL still there.

My WorkLight version is:

Worklight version

I did a grep on my .apk file and had this result:

unzip -p myApp.apk | strings | grep "OpenSSL"

OpenSSL grep

and

OpenSSL grep 2

Reading some articles I guess that the problem is on OpenSSL 1.0.xxx, and seeing the grep results I have two OpenSSL versions 1.0.1 and 1.1.0. I don't know if my app have some third part library that's using the old OpenSSL version. I'm using Xtify in this project. Maybe here is the problem?

xtify version

I know that stack overflow had another posts about this OpenSSL issue but no one about this issue on worklight + xtify.

thanks!

Diogo Ebert
  • 55
  • 5
  • I know that my question have the same theme of other questions but this one is directed to Worklight + some external library (xtify?). So, I think it's not a 'duplicated' question as it was marked. – Diogo Ebert Apr 13 '16 at 18:13

1 Answers1

3

Please note that Worklight v6.0.2 is not vulnerable to CVE-2016-0701 and CVE-2015-3197.

However, we are aware that Google is flagging the version of OpenSSL currently embedded with Worklight v6.0.2. We are updating the OpenSSL library to make sure it does not continue to trigger false positives as part of the Google Play review process.

The issue is being addressed through an iFix. The APAR that addresses it is: PI60605 OPENSSL RECEIVED SECURITY UPDATES AND MUST BE UPGRADED TO 1.0.2F (105608).

If you have questions or concerns about security vulnerabilities in our product, please report them through PMRs.

I hope this helps.

eabe
  • 375
  • 1
  • 4
Namfo
  • 301
  • 2
  • 8
  • Sorry, but was addressed for who and when will be provided the Fix? Thanks – Diogo Ebert Apr 13 '16 at 01:43
  • Hi Idan, thanks for your answer. I tried to open a PMR trough website and using the software support trough phone, but to open a PMR I need to have a client code. I do not have a client. I'm using Worklight internally. Do you know a way to open a PMR being an IBMER? – Diogo Ebert Apr 14 '16 at 14:38
  • Hi @eabe, sorry. My WL version is 6.2.0 instead 6.0.2 as I put in the title (now edited to right version 6.2.0). You'll provide a fix that addresses this version (6.2.0)? Thanks – Diogo Ebert Apr 25 '16 at 21:16
  • @DiogoEbert: No problem, the APAR addresses all supported versions. – eabe Apr 28 '16 at 05:09