You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@netbeans.apache.org by GitBox <gi...@apache.org> on 2022/09/28 12:27:31 UTC

[GitHub] [netbeans] techexplorer0310 opened a new issue, #4697: Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629

techexplorer0310 opened a new issue, #4697:
URL: https://github.com/apache/netbeans/issues/4697

   ### Apache NetBeans version
   
   Apache NetBeans 15
   
   ### What happened
   
   Hi,
   
   We are using netbeans 13 and security scanner has identified critical vulnerability issue https://nvd.nist.gov/vuln/detail/CVE-2017-12629
   
   reported against usage of Apache Lucene version 3.6.2. Have downloaded netbeans 15 as well but that also has same version being used.
   
   Or please advise any work arounds and possibility for a patch.
   
   Thanks
   
   ### How to reproduce
   
   Use any jar scanners and look for vulnerability report
   
   ### Did this work correctly in an earlier version?
   
   No / Don't know
   
   ### Operating System
   
   windows
   
   ### JDK
   
   jdk 17
   
   ### Apache NetBeans packaging
   
   Apache NetBeans binary zip
   
   ### Anything else
   
   _No response_
   
   ### Are you willing to submit a pull request?
   
   No
   
   ### Code of Conduct
   
   Yes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] mbien commented on issue #4697: Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629

Posted by GitBox <gi...@apache.org>.

mbien commented on issue #4697:
URL: https://github.com/apache/netbeans/issues/4697#issuecomment-1261358392

   NB is using lucene 6.x for everything maven related. But we should update the remaining modules too which still use old lucene.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] matthiasblaesing commented on issue #4697: Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629

Posted by GitBox <gi...@apache.org>.

matthiasblaesing commented on issue #4697:
URL: https://github.com/apache/netbeans/issues/4697#issuecomment-1270434753

   From my POV the description of CVE-2017-12629: https://nvd.nist.gov/vuln/detail/CVE-2017-12629 is pretty clear, that the attack vector is through the SOLR server, which handles XML in an insecure way. Debian references two changesets in SOLR, which match that:
   
   https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25
   https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4
   
   The entity that can query the NetBeans lucene store is the user himself - so I don't see an attack vector at this point in time. At least not through the referenced CVE.
   
   My assumption is, that the security scanner has information that "lucene" in version 3.6.2 is vulnerable, but misses that fact, that lucene is not just SOLR, but also the engine itself.
   
   The TL;DR version from my POV is: No NetBeans is not vulnerable.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

[GitHub] [netbeans] mbien commented on issue #4697: Apache Lucene 3.6.2 critical vulnerability issue - CVE-2017-12629

Posted by GitBox <gi...@apache.org>.

mbien commented on issue #4697:
URL: https://github.com/apache/netbeans/issues/4697#issuecomment-1269314768

   yes thats correct. A lucene upgrade would also affect public API of NB modules since some expose lucene directly in their APIs. I worked a little bit on that locally but got stuck and ran out of time.
   
   I haven't looked through the CVE in detail. But vulnerabilities like this rarely affect software like IDEs since they don't expose search queries to third parties.
   
   If you think there is a vulnerability in NB (e.g an attack vector), please follow the rules described here: 
   https://github.com/apache/netbeans/security/policy
   (listing a CVE of a third party lib is not a sufficient reason to use that email address though) 
   
   pinging @neilcsmith-net @matthiasblaesing for more opinions


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists