<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Nexus Lifecycle and IntelliJ IDEA

Our roots are deeply secured to the development community at Sonatype. While Nexus products now span roles and responsibilities across an organization, we’re always looking to consider the needs of our developer tribe. We make it a point to continually add developer-focused features to our suite of products as part of this commitment. We also work to ensure our products integrate with today’s modern developer tool stack. 

Why CEO’s Choose Harry

We are excited to see GrowthCap just announced NEA’s Harry Weller as their Investor of the Year. Harry and our CEO, Wayne Jackson, started working together in 1998 when he invested in Riverbed Technologies, followed by an investment in SourceFire, and most recently teaming up for the third time with Sonatype. We’re honored to be partnered with Harry and NEA to be developing an awesome future for software development organizations with our software supply chain and repository management solutions.

Getting Rugged DevOps Right

Two Perspectives

Jack, an accomplished application security pro, tells me, “The developers won’t talk to us. It’s like we speak a different language. They are releasing new builds so fast, how could they check each one for security vulnerabilities? We can’t move as fast as they do.”

Did you wake up to an alert about the Java Deserialization vulnerability?

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.