<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Why Insight App Health Check is so Important: Java Flaws Increasingly Targeted By Attackers

Check out this news story that broke earlier in the week: Java flaws are "increasingly targeted by attackers". This story was filed by IDG News Service from the Black Hat USA 2012 conference, and it points at a trend we've also noticed. The world is waking up to the fact that Java is an attractive target. Java applications run the world's largest organizations (from banks to governments). Where there is Java, there is usually a system worth hacking into. Security professionals are taking note.

Insight Application Health Check: Scan Your Application for Security and Licensing Issues in Minutes

We're releasing a product today that is something of a break from our other products: Nexus Professional, Insight for CI. First, it's a service that anyone can use, it isn't aimed at developers who use Maven or Nexus or any build tool whatsoever. Second, there's no download or setup process for this product that takes longer than 60 seconds. Anyone with an email address, Java, and access to an application's binaries can run an Insight scan in minutes, and we'll send you a free summary report covering licensing and security issues that may be present in your application.

The Latest Threat: A Virus Made Just For You

Technology Review – (International) The latest threat: A virus made just for you. The Flashback computer virus gained notoriety earlier in 2012 as the first malware to make headway against Apple’s relatively untouched operating system, Mac OS X, infecting 600,000 victims’ machines at the peak of the outbreak. However, computer scientists and security professionals were more worried about another aspect of the malware. The authors of Flashback used a technique that Hollywood often employs to prevent movie and music files from being copied — they added functions that bound the virus to each infected system. The use of that technique prevented security companies from running the virus in their labs. New research shows that a refinement to the technique could make automated analysis of malware nearly impossible. - 16 -

We Just Kicked Central Performance and Availability Up a Notch with Edgecast

Central is a critical resource for developers. If you develop Java applications and use Maven, Gradle, or Ivy, Central is what has made it easy for you to consume libraries using dependency declarations in your builds. For more than a decade, Central has been a solid, reliable presence supporting the community and making it easier not just for developers to consume software but also for open source projects to distribute software to the public. Before Central, assembling the dependencies and components that went into your project was a pain in the neck; after Central, the process of downloading dependencies became automatic.

Android Malware Is Booming

Help Net Security – (International) Android malware is booming. Trend Micro's January prediction that 11,000 pieces of Android malware will be detected by June of 2012 proved completely inaccurate, as the number of malicious applications in the wild for Google's mobile operating system exploded and now is at more than 25,000. Forty-eight percent of these malicious apps are premium service abusers, followed by 22 percent that are adware, and 21 percent that are data stealers. Malicious downloaders are offered in 19 percent of cases, while rooters, click fraudsters, and spying tools are at the bottom of the ladder. The apps are pushed onto users through third-party online stores and even the official Google Play app store. Usually, they masquerade as legitimate and popular software such as Angry Birds, Skype, and - 14 - Instagram. This unexpected boom in Android malware made the researchers revise their expectations — they believe there may be a total of 129,000 different malicious apps by the end of 2012.

Oracle's July Patch Day Brings 87 Security Updates

H Security – (International) Oracle's July patch day brings 87 security updates. In its planned July Critical Patch Update (CPU), Oracle released 87 security updates to fix various vulnerabilities across many product families. The updates affect products including Oracle Fusion Middleware 11g, Oracle Database 10g and 11g, and MySQL. One of the holes was given the highest possible CVSS score of 10.0; it was closed in the JRockit Java Virtual Machine, which is part of Oracle Fusion. Holes were also closed in other Fusion components including Enterprise Manager for Fusion Middleware, Oracle HTTP Server, MapViewer, Outside In Technology, and Portal. The vulnerabilities that affect the Database Server were fixed in the Enterprise Manager for Oracle Database, in Core RDBMS, and in the network layer. Here, the highest CVSS score is 6.8; none of the holes in MySQL exceed this rating either. The company released security updates for Oracle Siebel CRM, Enterprise Manager Grid Control 10g and 11g, Hyperion BI+, Solaris, Solaris Cluster, the SPARC T-Series, the Glassfish Enterprise Server, and the Oracle iPlanet Web Server. Many of the closed holes can be exploited by remote attackers without authentication. Java is not affected by this CPU, as Oracle is planning to provide the next Java update with its October CPU.

Experts Find Filter Bypass Vulnerabilities In Barracuda Appliances

Softpedia – (International) Experts find filter bypass vulnerabilities in Barracuda appliances. Security researchers from Vulnerability Lab identified a serious security hole that could affect a number of companies that rely on Barracuda products. They discovered a high severity validation filter and exception handling bypass vulnerability in Barracuda’s appliances. According to the experts, the input filter designed to block out persistent input attacks is flawed, exposing all security appliances. The vulnerable modules — Account MyResource Display and File Upload — persistently execute the saved URL path (which can be a malicious code). The researchers said the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request. To demonstrate their findings, the experts published a proof-of-concept video that shows how the input filter in Barracuda SSL VPN can be bypassed by a local attacker to execute code persistently. Barracuda Networks was notified of the issues sometime in May, but so far it is uncertain when a patch will be made available.

ICS-Alert-12-195-01—Tridium Niagara Directory Traversal And Weak Credential Storage Vulnerability

U.S. Industrial Control Systems Computer Emergency Response Team – (International) ICS-Alert-12-195-01—Tridium Niagara directory traversal and weak credential storage vulnerability. Two independent security researchers notified the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) of a directory traversal and weak credential storage vulnerability with proof-of-concept exploit code for Tridium Niagara AX Framework software. According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server. ICS-CERT is coordinating with the researchers and Tridium. Original attempts to coordinate vulnerability information were unsuccessful and ICS-CERT, in coordination with the researchers, was planning a release of the vulnerability data. However, recent communications from Tridium indicated they were working on a solution, resulting in the delayed release of this Alert so mitigations/patches could be prepared. July 12, a public report came out detailing the vulnerabilities and as a result, ICS-CERT shortened its release schedule and issued this Alert to warn of the unpatched vulnerabilities. Tridium released a security alert with instructions on how to implement interim mitigations. Tridium stated they are testing a software update that will resolve the vulnerabilities. ICS-CERT will issue an Advisory when the software update is available. According to the Tridium Web site, more than 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation, machine to machine, lighting control, maintenance repair operations, service bureaus, and total facilities management.

Join Us: Sonatype Meetup in NYC - Wednesday, July 25, 2012

We're planning a Sonatype Meetup in New York City on Wednesday, July 25 at 6PM. Jason will be giving an informal talk on the next phase of Apache Maven-based development and how Sonatype is tackling all the hard problems in component lifecycle management. After that, he'll be giving a sneak peek of our product roadmap for both Nexus and Insight. He'll be hanging out afterwards to talk shop over drinks and appetizers.

Learning the Nexus REST API: Read the Docs or Fire Up a Browser

When you use Nexus, it is more than a UI. It is a collection of services available for you to automate. With these services you can integrate Nexus in whatever workflow makes sense for you. As a developer, this is what I look for in a product: something beyond the UI, something I can automate, and, most importantly, something that is documented. In Nexus, we've made it easy to start integrating Nexus REST services into your workflow by providing extensive documentation.

Yesterday's post was all about automating Nexus with REST services, and today's post is focused on giving you the tools you need to access the hundreds of REST endpoints you have access to with Nexus. If you are trying to automate anything in Nexus, you should know that there are two ways to "read" the Nexus REST API. You can access plugin documentation via the Nexus UI, or you can use a tool like Firebug in Firefox or Chrome's Developer Tools and inspect the requests generated by the Nexus UI.

New Java Exploit To Debut In BlackHole Exploit Kits

While this appeared on our Security feed last week, it's important enough to reblog this as it affects just about everyone who is running Nexus. If you haven't yet applied the latest Java patch from Oracle, it's time to do so...because it is starting to show up in rootkits. While our Insight product isn't specifically designed to intercept JVM-level vulnerabilities, it will catch insecure libraries in your applications, learn more about Insight today.

Nexus Pro: Automating Staging Workflow with Gradle using the Nexus REST APIs

I recently had a request from a customer for some guidance on how to automate Staging in Nexus Professional from Gradle. Here was his core problem: he had a series of builds that needed to deploy to a staging URL and he was wondering if it was possible to automate the closing of a repository from Gradle. It is. While we've made it easy to do this in Maven with the Nexus Maven Plugin we didn't have the equivalent example in Groovy. This post gives some guidance to anyone who needs to call out to our REST services from Groovy.

As Nexus Professional exposes every feature as a REST endpoint it is very easy to automate these interactions in just about any language. This sample demonstrates who to incorporate calls to Nexus REST APIs directly from your build. It also provides a model for parsing JSON responses from Nexus and posting JSON requests. If you are interested in more of these examples, please let us know in the comments of this post. (One thing is sure, this particular example could use some improvement, please be harsh.)

Head Of Pentagon's Cyber Command Calls For Clear Cyber Security Legislation

Head of Pentagon's Cyber Command Calls for Clear Cyber Security Legislation. US Army General Keith Alexander, head of the Pentagon's Cyber Command and the National Security Agency (NSA), has called for legislators to clarify who is responsible for what in defending the country's computer systems from attacks. General Alexander says it's important that the issues get sorted out before the US is the target of a major cyber attack. He pointed to the SANS 20 top controls as a model standard for what organizations need to do to protect their systems. Responsibility for defending the country's computer systems falls to several government agencies, including the Department of Defense, the FBI, and the Department of Homeland Security. General Alexander said, "The probability for crisis is mounting."

Thieves Exploiting Vulnerability In On-Board Diagnostic System To Steal BMWs

ZDNet - Thieves Exploiting Vulnerability in On-Board Diagnostic System to Steal BMWs. Thieves have figured out a way to steal BMWs with keyless entry technology. They are able to bypass alarm systems. It is believed that the thieves are gaining access to the cars' On-Board Diagnostic (OBD) system to program new key fobs. The vehicles' OBD ports are constantly powered, even when the vehicles are off, and they do not require passwords.

Component Lifecycle Management with your Apache Maven Infrastructure

The way software is being developed has changed over the last ten years, it has shifted from companies developing the vast majority of their own software to a software development approach that depends on open source components that are freely available. Today, the vast majority (upwards of 90%) of Java-based applications are assembled from components. Very little of these applications consist of code that companies build internally. The extent to which open source components are being used is not widely known within companies that have thousands of applications and hundreds of thousands of downloads from the Central repository.

Wait... you don't have a repository manager?

I've seen it all. I really have. The highly paid consultant from a well-known enterprise software vendor who once told me: "I don't need to use an IDE, I do everything in Notepad."... all the way to a client that was convinced the best relational database was the one they built in-house (my reaction: really? you can do better than MySQL or Oracle or Postgres? With one developer? I'd like to see this).