[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully validate code sig
From:       Matthias =?ISO-8859-1?Q?Bl=E4sing?= <mblaesing () doppel-helix ! eu>
Date:       2020-03-29 20:56:10
Message-ID: 0ab0448134c222126b15f32246bc73d308836933.camel () doppel-helix ! eu
[Download RAW message or body]


CVE-ID
------
CVE-2019-17561

Summary
-------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures.

Versions Affected:=20
------------------
- All Apache NetBeans versions up to and including 11.2
- NetBeans releases before the Apache transition started may be
  also affected

Description:
------------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures. An attacker could modify the downloaded nbm and
include additional code.

Mitigation:
-----------
- Disable autoupdates
- Install only plugins from trusted sources and validate the
  downloads by checking signatures and/or comparing checksums
  from trusted sources
- Update to NetBeans 11.3 by downloading the release, verifying the
  signature and manually installing it

Credit:
-------
The investigation was triggered by a proof-of-concept submitted by
Emilian Bold

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]