Open techexplorer0310 opened 1 year ago
NB is using lucene 6.x for everything maven related. But we should update the remaining modules too which still use old lucene.
Looks like upgrading lucene is not straight forward as from 4.0.0 they have changed package and class structure. So it needs to be almost re-written in netbeans as per migration document https://lucene.apache.org/core/4_0_0/MIGRATE.html
yes thats correct. A lucene upgrade would also affect public API of NB modules since some expose lucene directly in their APIs. I worked a little bit on that locally but got stuck and ran out of time.
I haven't looked through the CVE in detail. But vulnerabilities like this rarely affect software like IDEs since they don't expose search queries to third parties.
If you think there is a vulnerability in NB (e.g an attack vector), please follow the rules described here: https://github.com/apache/netbeans/security/policy (listing a CVE of a third party lib is not a sufficient reason to use that email address though)
pinging @neilcsmith-net @matthiasblaesing for more opinions
From my POV the description of CVE-2017-12629: https://nvd.nist.gov/vuln/detail/CVE-2017-12629 is pretty clear, that the attack vector is through the SOLR server, which handles XML in an insecure way. Debian references two changesets in SOLR, which match that:
https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4
The entity that can query the NetBeans lucene store is the user himself - so I don't see an attack vector at this point in time. At least not through the referenced CVE.
My assumption is, that the security scanner has information that "lucene" in version 3.6.2 is vulnerable, but misses that fact, that lucene is not just SOLR, but also the engine itself.
The TL;DR version from my POV is: No NetBeans is not vulnerable.
Apache NetBeans version
Apache NetBeans 15
What happened
Hi,
We are using netbeans 13 and security scanner has identified critical vulnerability issue https://nvd.nist.gov/vuln/detail/CVE-2017-12629
reported against usage of Apache Lucene version 3.6.2. Have downloaded netbeans 15 as well but that also has same version being used.
Or please advise any work arounds and possibility for a patch.
Thanks
How to reproduce
Use any jar scanners and look for vulnerability report
Did this work correctly in an earlier version?
No / Don't know
Operating System
windows
JDK
jdk 17
Apache NetBeans packaging
Apache NetBeans binary zip
Anything else
No response
Are you willing to submit a pull request?
No
Code of Conduct
Yes