matthiasblaesing commented on issue #4697: URL: https://github.com/apache/netbeans/issues/4697#issuecomment-1270434753
From my POV the description of CVE-2017-12629: https://nvd.nist.gov/vuln/detail/CVE-2017-12629 is pretty clear, that the attack vector is through the SOLR server, which handles XML in an insecure way. Debian references two changesets in SOLR, which match that: https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4 The entity that can query the NetBeans lucene store is the user himself - so I don't see an attack vector at this point in time. At least not through the referenced CVE. My assumption is, that the security scanner has information that "lucene" in version 3.6.2 is vulnerable, but misses that fact, that lucene is not just SOLR, but also the engine itself. The TL;DR version from my POV is: No NetBeans is not vulnerable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
