<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Did you wake up to an alert about the Java Deserialization vulnerability?

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.

Nigel’s Wake-up Call: Scaling Open Source Governance

The Wake-up Call

Partitioning Nexus Repositories: Video Overview and Demonstration

This video is a follow-up to Juven Xu's post from this morning,
How to Partition Nexus Repositories: Targets, Privileges, and Roles
. It provides some motivation and quick demonstration of how repositories are partitioned on http://oss.sonatype.org.

How to Partition Nexus Repositories: Targets, Privileges, and Roles

Part of my daily routine involves managing the Sonatype OSS Repository, a free, hosted Nexus Professional instance for hosting open source project repositories . There are more than 100 projects hosted on the OSS instance, and each project has at least one release repository, one snapshot repository, and one repository group. When we started offering this service I would create two repositories and a single repository group for each project, but as community adoption increased, I found that managing hundreds of repositories was become a very complicated and time-consuming task. In this post, I'm going to discuss how I consolidated hundreds of repositories down to a single release repository, snapshot repository, and repository group. I'm also going to discuss how I used Nexus security settings to partition these consolidated repositories, providing necessary isolation between separate projects.

If you are running a large instance of Nexus to manage internal development, or if you are responsible for an open source project's installation of Nexus, you can use the approach outlined in this post.