A

Anonymous

Question

Google play and Adobe air: Security Alert: You are using a highly vulnerable version of OpenSSL

Forum|Forum|11 years ago
June 13, 2014
33 replies
43348 views

Hello

I just got a message from google play and they said that tehre is a vulnerable version of openssl. Now since I use adobe air to do my apps I was wondering how adobe air can comunnicate with openssl?

I'm using different version of adobe air since 1 years.

Here was the complete message:

Hello,

One or more of your apps is running an outdated version of OpenSSL, which has multiple security vulnerabilities. You should update OpenSSL as soon as possible. For more information about the most recent security vulnerability in OpenSSL, please see http://www.openssl.org/news/secadv_20140605.txt.

Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

Regards,
Google Play Team

©2014 Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Email preferences: You have received this mandatory email service announcement to update you about important changes to your Google Play account.

Do you know how to fix that problem?

Bobby

Performance issues

This topic has been closed for replies.

Show previous replies

A

Anonymous

Nimitja a lot of people are waiting an asnwer to my last post.

The openSSL(1.0.1g) is not enough google play say that it takes the 1.0.1.h

Please asnwer us asap about that

Bobby

A

Anonymous

If we look at the google play email they refer us to this url

https://www.openssl.org/news/secadv_20140605.txt

and it say

The attack can only be performed between a vulnerable client *and*

server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers

are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users

of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

So we really need to be upgrade to open SSL 1.0.1h if we read the google play email and refer to the openssl link they gave us.

A

Arn-0

Known Participant

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

In my case, it was OpenSSL 1.0.1e 11 Feb 2013 when compiled with AIR 13 and it is now OpenSSL 1.0.1g 7 Apr 2014 (SDK 14.0.0.110).

A

Anonymous

Nimitja we don't understand what you are saying. It dosen't help and it dosen't answer my post above at all.

Please explain us better and tell us which version of open SSL use AIR 14.0.0.110 because if it use this

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

we will still have that vulnerability and we will not solve anything with that version of AIR

Bobby

A

Anonymous

But Nimit you told us in the post above this

"We are aware of openSSL 1.0.1h version and the updated AIR SDK will be available soon."

and in the versionAir 14.0.0.110 the open SSL that you use is an old one look

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

$ strings lib/android/bin/adb.exe | grep OpenSSL

Big Number part of OpenSSL 1.0.1c 10 May 2012

RSA part of OpenSSL 1.0.1c 10 May 2012

So the latest version of your sdk is not good if we look about open ssl version vulnerability

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

So AIR 14.0.0.110 use OpenSSL 1.0.1c which is vulnerable if we check heartbleed info

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

You should upgrade to the version 1.0.1h accorind to this https://www.openssl.org/news/secadv_20140605.txt

Your tought?

D

detailed_grace16B6

Participating Frequently

premiums77 wrote:

adb.exe in AIR 14.0.0.110 seems to use OpenSSL 1.0.1c

The OpenSSL version of adb.exe does not matter, because the adb.exe is not used by the published app.

premiums77 wrote:

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.1g is affected by multiple security vulnerabilities: OpenSSL: OpenSSL vulnerabilities

I think the problem is the Open SSL 1.0.1g version of the air runtime or captive runtime. The mail from google does not refer to the heartbleed bug.

A

Anonymous

Hello Everybody

Thank you for your answers.

Nimitja I have more than 100 apps to update. I want to know 2 important things before I start to update all my apps. Because I want tobe 100% sure it is the problem.

Question 1: If I recompile my apps with the version 14.0.0.110 the bug will be fixed? Because I don't see any notes in that version about that.

Question 2: Do the bug come from the self signed certificate that we create with adobe air to publish our Android apps?

Question 3: Do we need to update the version of open SSL for our pc?

Thanks a lot for your help.

Robert

N

nimitja

Adobe Employee

Hi Robert,

Could you please share the platforms(PC's, iOS, Android) used in the 100 apps you have created as openSSL implementation is different for different platforms.

Regards,

Nimit

A

Anonymous

Of course Nimitja

I used my pc and my pc is windows 8. I use Flash Pro cs6 version 12.0.2.529. I create my apps (Android and ios) with Adobe air since 13 months with différents adobe air version. Here they are:

Adobe air 3.8.0.900

Adobe air 3.9.0.1050

Adobe air 4.0.0.1390

Adobe air 4.0.0.1690

Adobe air 13.0.0.61

So as you can see I used different version of adobe air over the year.

Hope it can help.

Robert

M

Maras_NotSoCasual_com_

Participating Frequently

I am a bit confused... The last AIR SDK I was using was 4.0.

This is 14.0? I don't get it :-)

Should I just put it into my Flash folder and use "Manage AIR SDK" as I did before?

N

nimitja

Adobe Employee

Yes, please use "Manage AIR SDK" and update with the latest AIR SDK.

Regards,

Nimit

seasonw

Participating Frequently

Nimit, thanks for fast response with solution.

Going to be busy today to re-compile all my apps.

P

Paul Darky

Inspiring

Maybe you need to read tha last post from Chris Campbell.

F

Frank Schuermann

Participating Frequently

Is it possible that the problem exists only for older AIR-apps which are still in the store?
I have multiple apps in the store. One was produced with Flash CC over 1,5 years ago

I also have absolutely fresh AIR-Apps in store.

The problem is that googles-Email don't say which app was exactly affected?

Maybe it is enough to rebublish the code with the actual version of Flash Prof CC?

Nimit, please give us some more information - thanks a lot!

N

nimitja

Adobe Employee

Hi All,

Please update AIR SDK to our latest version 14.0.0.110 available at Download Adobe AIR SDK , please let us know if you will face any problem.

Regards,

Nimit

F

Frank Schuermann

Participating Frequently

I got the same message and my app were produced with Flash Professional CC via Action Script (AS3).
Will in that case also help to update the SDK and after that to re-publish the code or do I have to wait for an Flash Prof CC - Update?

Eric Recluse

Participant

I got this message earlier today. I'm just wondering is the openssl invoked by my ANE or the adt packaging? I just upgraded my openssl which was ver 0.9.8 to the latest 1.0.1h on my mac, but I'm not sure if it helps. Now I'm digging into my ANE…..

Show more replies

What versions of the OpenSSL are affected?

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded