Alta Aware — 1179: Android security vulnerabilities in bouncy castle library

Release Date

15th of August 2024

Overview

```

Multiple vulnerabilities have been disclosed by the vendor of the Bouncy castle Java TLS library, that could affect the confidentiality, integrity, and availability of Aware Android app.

Affected Products

• Ava Aware:
  • Android app versions before 3.7.4

Unaffected Products

• Ava Aware:

  • All Android app versions after and including 3.7.4.
  • All iOS app versions
  • All Web client versions

• Ava Cameras:

  • All versions

• Ava Cloud: All versions

Resolution

This issue has been fixed in version 3.7.4 of the Aware Android app.

It is recommended that all users on running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through Google Play Store.

Vulnerability Information

• CVE: CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-34447
• CVSSv3 score: awaiting official analysis from NVD.

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issues reported by the vendor of the library

Disclosure Timeline

• 29/04/2024 Issues disclosed by the vendor of the library
• 07/05/2024 Fix identified
• 12/08/2024 Patched version of the Android app released
• 15/08/2024 Vulnerability publicly disclose