[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully validate code sig
From: Matthias =?ISO-8859-1?Q?Bl=E4sing?= <mblaesing () doppel-helix ! eu>
Date: 2020-03-29 20:56:10
Message-ID: 0ab0448134c222126b15f32246bc73d308836933.camel () doppel-helix ! eu
[Download RAW message or body]
CVE-ID
------
CVE-2019-17561
Summary
-------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures.
Versions Affected:=20
------------------
- All Apache NetBeans versions up to and including 11.2
- NetBeans releases before the Apache transition started may be
also affected
Description:
------------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures. An attacker could modify the downloaded nbm and
include additional code.
Mitigation:
-----------
- Disable autoupdates
- Install only plugins from trusted sources and validate the
downloads by checking signatures and/or comparing checksums
from trusted sources
- Update to NetBeans 11.3 by downloading the release, verifying the
signature and manually installing it
Credit:
-------
The investigation was triggered by a proof-of-concept submitted by
Emilian Bold
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic