OSGI Security Vulnerability

[IanKrL]

This security vulnerability appears to be present in Netbeans:
https://www.cve.org/CVERecord?id=CVE-2023-54342

The problem is in Eclipse Equinox OSGi up to version 3.18. I see here that there are recent changes regarding osgi: eb590dd

It appears that after the latest changes the version in Netbeans remains at 3.9.1, but I'm unclear if these are the same versioning schemes.

For my project using the Netbeans Platform I need to resolve this security problem, but I'm not sure what I need to do here to request that. Should I file a bug report with links and request a library upgrade? Should I report this as a "Security Vulnerability"? And before I request anything, can somebody verify which version of Equinox is netbeans actually using? I'd appreciate any guidance here.

[matthiasblaesing]

Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection.

Is the telnet console active?!

[IanKrL]

The report does not specify what circumstances are required for the bug to be a problem. Does 'telnet' need to be explicitly turned on? Or is it only the generic 'Console' that needs to be enabled?

Basically, I do not know enough about the internals of OSGi or Netbeans Platform to comfortably say we are not vulnerable.

[matthiasblaesing]

From my pespective "remote code execution" requires a network connection. NetBeans opens a single socket (you can check for example on Linux with the ss tool or netstat on windows. That socket is used for CLI integration and is bound to localhost (on my machine IPv6 ::1).

The exploit code says:

This tool will let you open a reverse shell from the system that is running OSGi with the '-console' option in versions between 3.8 and 3.18.

That matches the observation, that I don't see an open port.