Notice no.: IN-119, rev. 1.0.1

Hi. 

Could someone clarify which versions are acceptable, instead of going by date?

 If you take look at the Informational Notice of Security Vulnerability (IN-119). The affected versions is listed on the top right. 
"Product version information: All versions of S110, S120 and S130 S132 v2.0.0" 

It looks like SDK 12.2 might be covered, so everything after that should be unaffected?

 It's not the SDK itself that is affected by this, but certain versions of the Softdevice (ref. IN-119). 
Using SDK v.12.2.0 with Softdevice S132 v.3.0.0 (which is listed as the supported S132 Softdevice) will not be affected by this. 

Best regards, 
Joakim

Hi. 

Could someone clarify which versions are acceptable, instead of going by date?

 If you take look at the Informational Notice of Security Vulnerability (IN-119). The affected versions is listed on the top right. 
"Product version information: All versions of S110, S120 and S130 S132 v2.0.0" 

It looks like SDK 12.2 might be covered, so everything after that should be unaffected?

 It's not the SDK itself that is affected by this, but certain versions of the Softdevice (ref. IN-119). 
Using SDK v.12.2.0 with Softdevice S132 v.3.0.0 (which is listed as the supported S132 Softdevice) will not be affected by this. 

Best regards, 
Joakim

我就想知道到底S130是所有版本都受影响，还是S130就v2.0.0这个版本受影响

Does S130 v2.0.1 acceptable?

Yes, as I said the affected versions is listed in the Notice of Security Vulnerability IN-119.

Is Application definitely affected when using the corresponding soft device?

The following is not in the source code and I didn't know if my application was corresponding.
・READ_BY_TYPE_REQUEST
・READ_BY_GROUP_TYPE_REQUEST

Hi.

As stated in the Notice of Security Vulnerability IN-119:
“The vulnerability requires a non-compliant BLE protocol stack to send invalid, or mal-formed packets in response to request types generated by a GATT Client implementation. This vulnerability is not exposed by qualified implementations of BLE protocol stacks that implement valid behavior.

Affected implementations must have the following criteria:

• Use an affected BLE protocol stack
• Use a GATT Client
• Execute a service discovery procedure or a read of a characteristic by UUID which results in one of the following request packet types to be sent to a device implementing a GATT server:
  o READ_BY_TYPE_REQUEST
  o READ_BY_GROUP_TYPE_REQUEST

Implementations using Central Role are likely to execute a service discovery procedure. If an implementation uses Peripheral Role only, GATT Client is optionally implemented.”

All three criterias mentioned above is required to be affected, so the application must use an affected BLE softdevice, have a GATT client, and execute a service discovery at the specific time.
If one of the criterias above is not met, then you won’t be affected even if you are using an affected version of the softdevice.

Best regards, 
Joakim