Vulnerability warning in Android mobile app

mw-white · September 24, 2022, 11:26pm

I just built a fresh install of Home Assistant after moving into a new house. Ever since, I get a warning once a day when I open the Android mobile app:

The “View Bulletin” link takes me to the security bulletin from last year, talking about vulnerabilities in one of the 2021 versions and custom components ( Security Disclosure 2: vulnerabilities in custom integrations HACS, Font Awesome and others - Home Assistant ). I am running 2022.9.6, and so far I only have one custom component installed - HACS (up to date at 1.27.2).

I never had this issue with my old install. Both installs were Home Assistant Core.

Any ideas? It’s extremely annoying.

dshokouhi · September 25, 2022, 2:54am

the app must not be getting a proper response when the HA core version is being shared to it, very strange. Check the companion app logs (Settings > Companion App > Show and share logs) to see if there are any errors

mw-white · September 25, 2022, 4:22am

Thank you, that was very helpful. I swear I scrolled by that option 10 times.

Just in case others are seeing the same thing - I was getting errors in the log:

09-24 20:27:00.873 31940 21590 E WebSocketRepository: Websocket: onFailure
09-24 20:27:00.873 31940 21590 E WebSocketRepository: java.net.ProtocolException: Expected HTTP 101 response but was ‘403 Forbidden’

It all seemed to be working properly, but it wasn’t able to get the server configuration apparently. The one change I had made was switching from an nginx proxy and letsencrypt locally with port forwarding to nginx proxy running on OPNsense. I reverted back to the port forward and local nginx config, and all is well.

I like the idea of running the proxy on the firewall, but holy crap the nginx configuration on OPNsense is terrible.

Thanks for the pointer in the right direction @dshokouhi