Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629

apache / netbeans

Apache NetBeans

https://netbeans.apache.org/

Apache License 2.0

2.61k stars 836 forks source link

Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629 #4697

Open techexplorer0310 opened 1 year ago

techexplorer0310 commented 1 year ago

Apache NetBeans version

Apache NetBeans 15

What happened

Hi,

We are using netbeans 13 and security scanner has identified critical vulnerability issue https://nvd.nist.gov/vuln/detail/CVE-2017-12629

reported against usage of Apache Lucene version 3.6.2. Have downloaded netbeans 15 as well but that also has same version being used.

Or please advise any work arounds and possibility for a patch.

Thanks

How to reproduce

Use any jar scanners and look for vulnerability report

Did this work correctly in an earlier version?

No / Don't know

Operating System

windows

JDK

jdk 17

Apache NetBeans packaging

Apache NetBeans binary zip

Anything else

No response

Are you willing to submit a pull request?

Code of Conduct

Yes

mbien commented 1 year ago

NB is using lucene 6.x for everything maven related. But we should update the remaining modules too which still use old lucene.

techexplorer0310 commented 1 year ago

Looks like upgrading lucene is not straight forward as from 4.0.0 they have changed package and class structure. So it needs to be almost re-written in netbeans as per migration document https://lucene.apache.org/core/4_0_0/MIGRATE.html

mbien commented 1 year ago

yes thats correct. A lucene upgrade would also affect public API of NB modules since some expose lucene directly in their APIs. I worked a little bit on that locally but got stuck and ran out of time.

I haven't looked through the CVE in detail. But vulnerabilities like this rarely affect software like IDEs since they don't expose search queries to third parties.

If you think there is a vulnerability in NB (e.g an attack vector), please follow the rules described here: https://github.com/apache/netbeans/security/policy (listing a CVE of a third party lib is not a sufficient reason to use that email address though)

pinging @neilcsmith-net @matthiasblaesing for more opinions

matthiasblaesing commented 1 year ago

From my POV the description of CVE-2017-12629: https://nvd.nist.gov/vuln/detail/CVE-2017-12629 is pretty clear, that the attack vector is through the SOLR server, which handles XML in an insecure way. Debian references two changesets in SOLR, which match that:

https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4

The entity that can query the NetBeans lucene store is the user himself - so I don't see an attack vector at this point in time. At least not through the referenced CVE.

My assumption is, that the security scanner has information that "lucene" in version 3.6.2 is vulnerable, but misses that fact, that lucene is not just SOLR, but also the engine itself.

The TL;DR version from my POV is: No NetBeans is not vulnerable.