Apache NetBeans Vulnerability [CVE-2018-17191]

CVE Number – CVE-2018-17191

Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE). Using the nashorn script engine the environment of the javascript execution for the Proxy Auto-Configuration leaks privileged objects, that can be used to circumvent the execution limits. If a different script engine was used, no execution limits were in place. Both vectors allow remote code execution.

To be vulnerable to the issue, the system running NetBeans needs to beconfigured to use Proxy Auto-Configuration (PAC), NetBeans must beconfigured to use the system proxy settings and the attacker needs tobe able to modify the PAC script.Proxy Auto-Configuration (PAC) allows a proxy provider to provide theclient with an automatic configuration of the proxy configuration. Theconfiguration is not a static description, but JavaScript code, thatcalculates the proxy information based on the URL requested.

Depending on the Java Version NetBeans is executed, two vectors exists:If the Java Version supports the Nashorn JavaScript engine, execution was sandboxed by limiting the classes accessible to the script. It wasfound, that, due to the vulnerability in the JRE, the sandbox can be circumvented. This allows arbitrary code to be executed in the context of the NetBeans application.If the Java Version does not support Nashorn, a generic JavaScript engine was used, which is not further restricted. This allows execution of arbitrary code in the context of the NetBeans application.

Mitigation

The issue can be mitigated utilising one of the following options:

– Upgrade to Apache NetBeans 10.0- Disable Proxy Auto-Configuration for the whole OS(please refer to the system documentation how to do that)

– Disable “Use System Proxy Settings” in the NetBeans Options and configure the Proxy to use manually