oss-sec mailing list archives
[CVE-2018-17191] Apache NetBeans 9.0 Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE)
From: Matthias Bläsing <mblaesing () doppel-helix eu>
Date: Sun, 30 Dec 2018 13:48:52 +0100
CVE-ID ------ CVE-2018-17191 Summary ------- NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE) Versions Affected: ------------------ - Apache NetBeans (incubating) 9.0 - NetBeans releases before the Apache transition started may be also affected Description: ------------ To be vulnerable to the issue, the system running NetBeans needs to be configured to use Proxy Auto-Configuration (PAC), NetBeans must be configured to use the system proxy settings and the attacker needs to be able to modify the PAC script. Proxy Auto-Configuration (PAC) allows a proxy provider to provide the client with an automatic configuration of the proxy configuration. The configuration is not a static description, but JavaScript code, that calculates the proxy information based on the URL requested. Depending on the Java Version NetBeans is executed, two vectors exists: If the Java Version supports the Nashorn JavaScript engine, execution was sandboxed by limiting the classes accessible to the script. It was found, that, due to the vulnerability in the JRE, the sandbox can be circumvented. This allows arbitrary code to be executed in the context of the NetBeans application. If the Java Version does not support Nashorn, a generic JavaScript engine was used, which is not further restricted. This allows execution of arbitrary code in the context of the NetBeans application. Mitigation: ----------- The issue can be mitigated utilizing one of the following options: - Upgrade to Apache NetBeans 10.0 - Disable Proxy Auto-Configuration for the whole OS (please refer to the system documentation how to do that) - Disable "Use System Proxy Settings" in the NetBeans Options and configure the Proxy to use manually Credit: ------- The issue was identified by Moritz Bechler.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- [CVE-2018-17191] Apache NetBeans 9.0 Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE) Matthias Bläsing (Dec 30)