oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully validate code signatures.

From: Matthias Bläsing <mblaesing () doppel-helix eu>
Date: Sun, 29 Mar 2020 22:56:10 +0200
CVE-ID
------
CVE-2019-17561

Summary
-------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures.

Versions Affected: 
------------------
- All Apache NetBeans versions up to and including 11.2
- NetBeans releases before the Apache transition started may be
  also affected

Description:
------------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures. An attacker could modify the downloaded nbm and
include additional code.

Mitigation:
-----------
- Disable autoupdates
- Install only plugins from trusted sources and validate the
  downloads by checking signatures and/or comparing checksums
  from trusted sources
- Update to NetBeans 11.3 by downloading the release, verifying the
  signature and manually installing it

Credit:
-------
The investigation was triggered by a proof-of-concept submitted by
Emilian Bold

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: